ansible-lint 2.3.7 added a rule checking for use of the deprecated
'sudo' and 'sudo_user' directives. They have been replaced with 'become'
and 'become_user' respectively.
Change-Id: I2271fe8468840884f19f41abba37e696c6296350
Workarounding the upstream ansible apt module bug
documented here:
https://github.com/ansible/ansible-modules-core/pull/1517
For the next versions of ansible we'll be using, we should
check if the apt bug is fixed. When it's fixed, we could
abandon this change and use the standard apt module
with correct cache handling.
Change-Id: I2aaf00da175f31d0157bbc4ae30a4e176b055078
Deploy user SSL keys for novnc console containers so users viewing
the console in Horizon will be able to access the console over https.
Example configuration:
nova_console_type: novnc
nova_novncproxy_proto: https
nova_console_user_ssl_cert: ~/certs/horizon.pem
nova_console_user_ssl_key: ~/certs/horizon.key
nova_console_user_ssl_ca_cert: "{{ ssl_ca_cert }}"
Change-Id: Icb66631ac0b00afe12519fd742e3198e828a10cc
Currently, if you run the os-nova-install.yml playbook with the
nova-config or nova-install tags, the run will fail as nova_virt_type
is not defined anywhere. This commit updates os_nova/tasks/main.yml by
adding the always tag so that nova_virt_detect.yml is always included.
Change-Id: Id0fdd12aecc63c066da985fbb058cb85926b2ff3
We currently have two issues with venvs:
- if you update your venv on the repo server, it is not possible for
that updated venv to land on the service's container as the get_url
task always skips if the file exists (even if the file is different)
- if you have an updated venv on the repo server and forcefully delete
the cached venv tarball on the service's container, the new tarball
will get unarchived over top of the existing venv
This commit does the following:
- gets the checksum of the /var/cache tarball and downloads checksum
file from repo server
- updates "Attempt venv download" to only download the venv if the
cache doesn't exist or if the local and remote checksums differ
- adds a "force: true" to "Attempt venv download" task so that the venv
tarball will get re-downloaded when the when condition is true (this
is necessary otherwise the download will get skipped since the
destination already exists)
- adds a new task "Remove existing venv" so we can first remove the
venv before we unarchive the potentially new venv from the repo
server
- updates "Create nova venv dir" and "Unarchive pre-built venv"
tasks to only proceed if "nova_get_venv | changed", which
prevents these tasks from running when they the venv tarball hasn't
changed
- adds multiple service restarts to
os_nova/tasks/nova_install.yml so that nova will restart
correctly should the venv/packages update without any associated
config changes
NOTE: The reason why we compare local and remote checksum is to avoid
unnecessarily downloading the venv when the checksums are in fact
the same. On small deploys this is more or less a non-issue but
if a deploy w/ thousands of compute nodes re-runs playbooks we
want to limit the venv downloads when it's unnecessary.
Change-Id: Ibe25126ee38f51fb71f877a54d32dd56d2a8a74d
Extracting the ssh public key using cat and storing the result in a
fact has resulted in periodic failures in the collection of the key,
and thereafter the failure to appropriately place that key into the
authorised_keys file.
This patch changes the collection method to use the Ansible slurp
module which has been found to be more reliable.
Closes-Bug: #1531783
Change-Id: I26340a0c69064f84d9d87f19ce015ba44b6ffa8b
The nova_rpc_backend variable is currently set to the value that
applies for Kilo and has not been updated to the new Liberty
setting.
This patch corrects that.
Closes-Bug: #1537039
Change-Id: I6a946a5ce56a90e9ef1aebdba0350076cdb9ad2c
This patch does the following:
- updates the Master SHAs for new development work.
- includes updates to policy, paste and rootwrap files as required
- moves the Aodh repository to openstack_services as it now has
implemented a stable branch
- Updated the keystone-wsgi file as it was still running the code from
liberty
- add 2 package requirements to keystone which must be present for the
new wsgi file.
- updates tempest.conf.j2 to replace ssh_auth_method with auth_method,
and change auth_method to 'keypair' (configured is no longer an
a valid option)
Change-Id: I933c24c03518865d9d40519dafb2ba46769a5453
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
`role_name` is a reserved variable name. Instead, use the explicit
service_role_name variables when adding roles to users.
Change-Id: Ia5fa0e400aeec6d808891c5dd793ee8177d9b5f3
If egrep is not located at /usr/bin/egrep, the os_nova "Get virt type
value and store as var" task will silently fail causing the
nova_virt_type to always default to qemu.
Update the command to include a lookup for the correct path to egrep.
Change-Id: I378b555d157ee3f39d682c3ddadb6e3ffd933503
Closes-Bug: #1531670
This fix adds the multipath-tools package to all nova
nodes in order to support iscsi-multipath inside nova.
In order to enable this feature in nova the following override
needs to be configured:
nova_nova_conf_overrides:
libvirt:
iscsi_use_multipath: true
DocImpact
Closes-Bug: #1524957
Change-Id: I36da282043ce864c8a1fb69a1ee02e3a273c14e4
When using an LDAP backend the plabooks fail when "ensuring.*"
which is a keystone client action. The reason for the failure is
related to how ldap backend, and is triggered when the service
users are within the ldap and not SQL. To resolve the issue a boolean
conditional was created on the various OS_.* roles to skip specific
tasks when the service users have already been added into LDAP.
Change-Id: I64a8d1e926c54b821f8bfb561a8b6f755bc1ed93
Closes-Bug: #1518351
Closes-Bug: #1519174
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
Ceph python bindings are now available from pypi, so they can be
installed within a venv. Previously we were relying on the bindings
being installed via an apt package and symlinking out of the relevant
venvs into site packages.
This commit also includes a revert for the commit that introduced the
symlinks:
Revert "Symlink ceph libraries out of venv"
This reverts commit a0ab6f7a6efea1dabf5ac006f766c17596a0d10b.
Ceph Bug: http://tracker.ceph.com/issues/5900
Related-Bug: #1509837
Package URL: https://pypi.python.org/pypi/python-cephlibs/0.94.5.post1
Change-Id: Id8a0b8ea810fd9e43f9743bb2572e2b6b0985230
In https://review.openstack.org/243098 nova_virt_type auto-detection
was implemented, but the default nova_virt_type value of kvm was left
in place, resulting in the auto-detection never happening.
This patch implements the auto-detection if nova-virt_type is not set
and removes the default value for nova-virt_type.
Change-Id: Ic1c8f042bc6bbee542373d335f338866efa06dc7
The default for nova_force_config_drive upstream is "false" there is a
TODO to adjust this in Liberty.
This patch completes that TODO and sets the var (removing the TODO
comment).
Change-Id: I2159464c852b72685ee1a81d169ab64b6a1cc4b9
Closes-Bug: #1520628
Add comments in playbooks/roles/os_nova/defaults/main.yml,
mainly about nova_virt_type and nova_virt_autodetect.
Change-Id: I51ddfb44adc582c3c0ea47c7a4162881dfa2f7c3
If nova_virt_type variable is not defined in defaults/main.yml,
Using command "egrep -c '(vmx|svm)' /proc/cpuinfo" in
deploy environment, it can easily tell us what the right
virt_type is according to the return value.
If this command returns a value of one or greater, your
compute node supports hardware acceleration and just set
virt_type = kvm.
If this command returns a value of zero, your compute node
does not support hardware acceleration and you must configure
virt_type = qemu instead of kvm.
Change-Id: I6e36ffcb56d50556df0803aea9f4cd7850fada5a
This removes the deprecated vif driver in Juno.
Change-Id: I3ae8e9be51e0290b74e1f660f9f8d15326efca22
Closes-bug: #1501029
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
The spice and vnc consoles are mutually exclusive with Horizon set
to auto-detect the console type. It is also clear from the
configuration method that the designed implementation is to deploy
only one of them.
This patch ensures that only one is enabled at a time by explicitly
disabling the vnc console (which defaults to enabled).
Change-Id: Ib0368d3d6125e4abe7f9a9c40748457fc0d349f2
This review standardises the ownership of the *_venv_dir directories by
ensuring all are created as root instead of using the service's user.
This behaviour already exists in the following roles:
- os_aodh
- os_glance
- os_swift
Change-Id: Idab42b83bece3624271780105f6a937eb88c7491
This commit conditionally allows the os_nova role to
install build and deploy within a venv. This is the new
default behavior of the role however the functionality
can be disabled.
Implements: blueprint enable-venv-support-within-the-roles
Change-Id: I13cf36058d08934a41b24ccf4f1700321ab00547
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
If a cloned repo contains local modifications, the clone task will
fail. This ensures any local modifications are discarded, ensuring a
successful clone.
Change-Id: Ic5799fe07e15739cc11acabba803e3be47606f94
Closes-Bug: #1506590
This patch includes the following updates based on the updated
source in Nova's Liberty release:
- api-paste.ini
- policy.json
- rootwrap.d/compute.filters
- rootwrap.d/network.filters
The Nova S3 and v3 API's have been removed in Liberty, so all
related variables and configuration file entries have been
removed.
The Nova EC2 API is deprecated in Liberty. All related variables in
OpenStack-Ansible and configuration files have been removed as all
deployers are recommended to make use of the actively developed
replacement: https://github.com/stackforge/ec2-api
The Nova v2 and v1.1 API's are enabled using the upstream default
compatibility layer. Neither of these versions will be registered in
the service catalog.
The default API version is set to v2.1. For new environments, no
other API versions are registered in the service catalog.
The following variables have been removed:
- S3 API
- nova_s3_service_name
- nova_s3_service_type
- nova_s3_service_proto
- nova_s3_service_publicuri_proto
- nova_s3_service_adminuri_proto
- nova_s3_service_internaluri_proto
- nova_s3_service_port
- nova_s3_service_description
- nova_s3_service_publicuri
- nova_s3_service_publicurl
- nova_s3_service_adminuri
- nova_s3_service_adminurl
- nova_s3_service_internaluri
- nova_s3_service_internalurl
- nova_s3_program_name
- nova_s3_deprecated_but_enabled
- EC2 API
- nova_ec2_service_name
- nova_ec2_service_type
- nova_ec2_service_proto
- nova_ec2_service_publicuri_proto
- nova_ec2_service_adminuri_proto
- nova_ec2_service_internaluri_proto
- nova_ec2_service_port
- nova_ec2_service_description
- nova_ec2_service_publicuri
- nova_ec2_service_publicurl
- nova_ec2_service_adminuri
- nova_ec2_service_adminurl
- nova_ec2_service_internaluri
- nova_ec2_service_internalurl
- nova_ec2_program_name
- nova_ec2_deprecated_but_enabled
- v3 API
- nova_v3_service_name
- nova_v3_service_type
- nova_v3_service_proto
- nova_v3_service_publicuri_proto
- nova_v3_service_adminuri_proto
- nova_v3_service_internaluri_proto
- nova_v3_service_port
- nova_v3_service_description
- nova_v3_service_publicuri
- nova_v3_service_publicurl
- nova_v3_service_adminuri
- nova_v3_service_adminurl
- nova_v3_service_internaluri
- nova_v3_service_internalurl
- nova_v3_deprecated_but_enabled
- v2.1 API
- nova_v21_service_name -> nova_service_name
- nova_v21_service_type -> nova_service_type
- nova_v21_service_proto -> nova_service_proto
- nova_v21_service_publicuri_proto -> nova_service_publicuri_proto
- nova_v21_service_adminuri_proto -> nova_service_adminuri_proto
- nova_v21_service_internaluri_proto -> nova_service_internaluri_proto
- nova_v21_service_port -> nova_service_port
- nova_v21_service_description -> nova_service_description
- nova_v21_service_publicuri -> nova_service_publicuri
- nova_v21_service_publicurl -> nova_service_publicurl
- nova_v21_service_adminuri -> nova_service_adminuri
- nova_v21_service_adminurl -> nova_service_adminurl
- nova_v21_service_internaluri -> nova_service_internaluri
- nova_v21_service_internalurl -> nova_service_internalurl
- nova_v21_enabled
DocImpact
UpgradeImpact
Implements: blueprint liberty-release
Change-Id: Ie5a42059c10e7fd0bfc4dba8d87dea3f32db968e
This patch add the packages necessary to allow for
the nova config_drive_format vfat
Change-Id: I304b25f68914d032e6aee0e62338c72165c6e62f
Closes-Bug: #1489225
As part of the cross-project effort [1] to prepare OpenStack for
Python3 as the primary Python version used, the decision has been
made to switch from using MySQL-python to PyMySQL [2].
This patch switches all OpenStack Services to use the PyMySQL
library.
[1] https://etherpad.openstack.org/p/liberty-cross-project-python3
[2] https://review.openstack.org/184388
UpgradeImpact
Implements: blueprint liberty-release
Change-Id: I7532b5dd72cd2f682f1e4ffdf290b741c2185cb3
This change sets the nova management address based on the
facts the play is able to set about the environment.
This will correct configure the nova to use a specific
management network which is not always the default
container address.
Closes-Bug: #1504226
Change-Id: Ib6d84072d379118ebfc560f4594c28e1fecf3b40
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
'ws://' is currently hardcoded within the spice_auto.html file included
in the packaged release of spice-html5, raising a security error when
accessing consoles over HTTPS.
Remove the existing apt package and install spice-html5 from source
instead since this issue has been corrected as of spice-html5-0.1.6.
Change-Id: Ie308a477143037963f903f2ac21b2b1f0328fcb3
Partial-Bug: #1424797
This change adds in support for the novnc console type in Nova.
* The change adds in a few new variables to the defaults which allow
for the novnc console to be configued.
* A port entry was added to haproxy to support the console type.
* noVNC is being installed from source in the nova_console container.
The git repo has been added to the openstack_other.yml repo-package file
which allows for the repo to be cloned into the repo containers and then
distributed out where needed from within the environment.
Closes-Bug: 1428833
Change-Id: I221557aad77bf266b4e2fae23007ffa210aa1f75
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This patch adds the variable 'pip_install_options' which is passed to the pip
install module as extra arguments in order to allow the use of options like
'--force-reinstall' when executing playbooks.
eg: openstack-ansible -e pip_install_options="--force-reinstall" \
setup-openstack.yml
This is required due to constant upstream changes in dependencies which
result in python wheel version upgrades and downgrades between tagged
versions of openstack-ansible.
The intention is that this can be used whenever a deployer switches between
tags for both upgrades and downgrades.
DocImpact
Closes-Bug: #1489251
Closes-Bug: #1499451
Related-Bug: #1501114
Change-Id: I996185e009a4c4af4f23798619bdbd0d490360c9
The change modifies the nova template tasks such that it's now
using the config_template action plugin. This change will make so that
config files can be dynamically updated, by a deployer, at run time,
without requiring the need to modify the in tree templates or defaults.
Partially implements: blueprint tunable-openstack-configuration
Change-Id: I9842ed3fcb2cc4aa379a582359b1ca5d0747f714