diff --git a/defaults/main.yml b/defaults/main.yml index 51967402..a4eafd66 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -20,7 +20,11 @@ debug: False # for the service setup. The host must already have # clouds.yaml properly configured. octavia_service_setup_host: "{{ openstack_service_setup_host | default('localhost') }}" -octavia_service_setup_host_python_interpreter: "{{ openstack_service_setup_host_python_interpreter | default((octavia_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable'])) }}" +octavia_service_setup_host_python_interpreter: >- + {{ + openstack_service_setup_host_python_interpreter | default( + (octavia_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable'])) + }} # Set installation method. octavia_install_method: "{{ service_install_method | default('source') }}" @@ -42,7 +46,8 @@ octavia_package_state: "{{ package_state | default('latest') }}" octavia_git_repo: https://opendev.org/openstack/octavia octavia_git_install_branch: master -octavia_upper_constraints_url: "{{ requirements_git_url | default('https://releases.openstack.org/constraints/upper/' ~ requirements_git_install_branch | default('master')) }}" +octavia_upper_constraints_url: >- + {{ requirements_git_url | default('https://releases.openstack.org/constraints/upper/' ~ requirements_git_install_branch | default('master')) }} octavia_git_constraints: - "--constraint {{ octavia_upper_constraints_url }}" @@ -67,7 +72,11 @@ octavia_cinder_volume_type: "volumes-hdd" ## Database info octavia_db_setup_host: "{{ openstack_db_setup_host | default('localhost') }}" -octavia_db_setup_python_interpreter: "{{ openstack_db_setup_python_interpreter | default((octavia_db_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable'])) }}" +octavia_db_setup_python_interpreter: >- + {{ + openstack_db_setup_python_interpreter | default( + (octavia_db_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable'])) + }} octavia_galera_address: "{{ galera_address | default('127.0.0.1') }}" octavia_galera_user: octavia octavia_galera_database: octavia @@ -75,7 +84,7 @@ octavia_galera_persistence_database: octavia_persistence octavia_galera_use_ssl: "{{ galera_use_ssl | default(False) }}" octavia_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}" octavia_db_max_overflow: "{{ openstack_db_max_overflow | default('50') }}" -octavia_db_max_pool_size: "{{ openstack_db_max_pool_size | default('5') }}" +octavia_db_max_pool_size: "{{ openstack_db_max_pool_size | default('5') }}" octavia_db_pool_timeout: "{{ openstack_db_pool_timeout | default('30') }}" octavia_db_connection_recycle_time: "{{ openstack_db_connection_recycle_time | default('600') }}" octavia_galera_port: "{{ galera_port | default('3306') }}" @@ -106,7 +115,8 @@ octavia_oslomsg_rpc_ssl_ca_file: "{{ oslomsg_rpc_ssl_ca_file | default('') }}" # Notify octavia_oslomsg_notify_host_group: "{{ oslomsg_notify_host_group | default('rabbitmq_all') }}" -octavia_oslomsg_notify_setup_host: "{{ (octavia_oslomsg_notify_host_group in groups) | ternary(groups[octavia_oslomsg_notify_host_group][0], 'localhost') }}" +octavia_oslomsg_notify_setup_host: >- + {{ (octavia_oslomsg_notify_host_group in groups) | ternary(groups[octavia_oslomsg_notify_host_group][0], 'localhost') }} octavia_oslomsg_notify_transport: "{{ oslomsg_notify_transport | default('rabbit') }}" octavia_oslomsg_notify_servers: "{{ oslomsg_notify_servers | default('127.0.0.1') }}" octavia_oslomsg_notify_port: "{{ oslomsg_notify_port | default('5672') }}" @@ -279,17 +289,21 @@ octavia_security_group_rule_cidr: "{{ octavia_management_net_subnet_cidr }}" octavia_ssh_enabled: False octavia_ssh_key_name: octavia_key octavia_keypair_setup_host: "{{ openstack_service_setup_host | default('localhost') }}" -octavia_keypair_setup_host_python_interpreter: "{{ openstack_service_setup_host_python_interpreter | default((octavia_keypair_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable'])) }}" +octavia_keypair_setup_host_python_interpreter: >- + {{ + openstack_service_setup_host_python_interpreter | default((octavia_keypair_setup_host == 'localhost') | ternary( + ansible_playbook_python, ansible_facts['python']['executable'])) + }} # port the agent listens on octavia_agent_port: "9443" octavia_health_manager_port: 5555 -#Octavia Nova flavor +# Octavia Nova flavor octavia_amp_flavor_name: "m1.amphora" octavia_amp_ram: 1024 octavia_amp_vcpu: 1 octavia_amp_disk: 20 -#octavia_amp_extra_specs: +# octavia_amp_extra_specs: # only increase when it's a really busy system since this is by deployed host, # e.g. 3 hosts, 5 workers (this param) per host, results in 15 worker total @@ -337,7 +351,7 @@ octavia_amp_availability_zone: nova # dest: "/etc/octavia/templates/macros.cfg.j2" octavia_user_haproxy_templates: {} # Path of custom haproxy template file -#octavia_haproxy_amphora_template: /etc/octavia/templates/haproxy.cfg.j2 +# octavia_haproxy_amphora_template: /etc/octavia/templates/haproxy.cfg.j2 # Name of the Octavia management network in Neutron octavia_neutron_management_network_name: lbaas-mgmt @@ -346,7 +360,7 @@ octavia_provider_network_name: lbaas # Network type octavia_provider_network_type: flat # Network segmentation ID if vlan, gre... -#octavia_provider_segmentation_id: +# octavia_provider_segmentation_id: # Network CIDR octavia_management_net_subnet_cidr: 172.29.232.0/22 # Example allocation range: @@ -359,13 +373,18 @@ octavia_service_net_setup: True # This should match net_name from provider_networks structure in openstack_user_config octavia_provider_inventory_net_name: "{{ octavia_provider_network_name }}" # This gets container managment network structure based on octavia_provider_inventory_net_name -octavia_provider_network: "{{ provider_networks|map(attribute='network')|selectattr('net_name','defined')|selectattr('net_name', 'equalto', octavia_provider_inventory_net_name)|list|first }}" +octavia_provider_network: >- + {{ provider_networks | map(attribute='network') | selectattr('net_name', 'defined') | selectattr( + 'net_name', 'equalto', octavia_provider_inventory_net_name) | list | first + }} # The name of the network address pool octavia_container_network_name: "{{ octavia_provider_network['ip_from_q'] }}_address" octavia_hm_group: "octavia-health-manager" # Note: We use some heuristics here but if you do anything special make sure to use the # ip addresses on the right network. This will use the container networking to figure out the ip -octavia_hm_hosts: "{% for host in groups[octavia_hm_group] %}{{ hostvars[host]['container_networks'][octavia_container_network_name]['address'] }}{% if not loop.last %},{% endif %}{% endfor %}" +octavia_hm_hosts: >- + {% for host in groups[octavia_hm_group] %}{{ hostvars[host]['container_networks'][octavia_container_network_name]['address'] }}{% + if not loop.last %},{% endif %}{% endfor %} # Set this to the right container port aka the eth you connect to the octavia # management network octavia_container_interface: "{{ octavia_provider_network.container_interface }}" @@ -382,7 +401,7 @@ octavia_iptables_rules: - # Allow existing connections: chain: INPUT in_interface: "{{ octavia_container_interface }}" - ctstate: RELATED,ESTABLISHED + ctstate: RELATED,ESTABLISHED jump: ACCEPT - # Allow heartbeat: chain: INPUT @@ -406,7 +425,7 @@ octavia_iptables_rules: - # Allow existing connections chain: INPUT in_interface: "{{ octavia_container_interface }}" - ctstate: RELATED,ESTABLISHED + ctstate: RELATED,ESTABLISHED jump: ACCEPT ip_version: ipv6 - # Allow heartbeat @@ -429,7 +448,8 @@ octavia_iptables_rules: # uWSGI Settings octavia_wsgi_processes_max: 16 -octavia_wsgi_processes: "{{ [[(ansible_facts['processor_vcpus']//ansible_facts['processor_threads_per_core'])|default(1), 1] | max * 2, octavia_wsgi_processes_max] | min }}" +octavia_wsgi_processes: >- + {{ [[(ansible_facts['processor_vcpus'] // ansible_facts['processor_threads_per_core']) | default(1), 1] | max * 2, octavia_wsgi_processes_max] | min }} octavia_wsgi_threads: 1 octavia_uwsgi_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}" octavia_uwsgi_tls: @@ -578,27 +598,27 @@ octavia_cert_install_certificates: condition: "{{ octavia_generate_certs | bool }}" # Custom client CA -#octavia_client_ca: "{{ octavia_cert_dir }}/ca_01.pem" +# octavia_client_ca: "{{ octavia_cert_dir }}/ca_01.pem" ## Custom client certs -#octavia_client_cert: "{{ octavia_cert_dir }}/client.pem" -#octavia_client_key: "{{ octavia_cert_dir }}/client.key.pem" +# octavia_client_cert: "{{ octavia_cert_dir }}/client.pem" +# octavia_client_key: "{{ octavia_cert_dir }}/client.key.pem" ## server -#octavia_server_ca: "{{ octavia_ca_certificate }}" +# octavia_server_ca: "{{ octavia_ca_certificate }}" ## ca certs -#octavia_ca_private_key: "{{ octavia_cert_dir }}/private/cakey.pem" +# octavia_ca_private_key: "{{ octavia_cert_dir }}/private/cakey.pem" octavia_ca_private_key_passphrase: "{{ octavia_cert_client_password }}" -#octavia_ca_certificate: "{{ octavia_cert_dir }}/ca_server_01.pem" +# octavia_ca_certificate: "{{ octavia_cert_dir }}/ca_server_01.pem" # Quotas for the Octavia user - assuming active/passive topology octavia_num_instances: 10000 # 5000 LB in active/passive -octavia_ram: "{{ (octavia_num_instances|int)*1024 }}" -octavia_num_server_groups: "{{ ((octavia_num_instances|int)*0.5)|int|abs }}" +octavia_ram: "{{ (octavia_num_instances | int) * 1024 }}" +octavia_num_server_groups: "{{ ((octavia_num_instances | int) * 0.5) | int | abs }}" octavia_num_server_group_members: 50 octavia_num_cores: "{{ octavia_num_instances }}" -octavia_num_secgroups: "{{ (octavia_num_instances|int)*1.5|int|abs }}" # average 3 listener per lb -octavia_num_ports: "{{ (octavia_num_instances|int)*10 }}" # at least instances * 10 -octavia_num_security_group_rules: "{{ (octavia_num_secgroups|int)*100 }}" +octavia_num_secgroups: "{{ (octavia_num_instances | int) * 1.5 | int | abs }}" # average 3 listener per lb +octavia_num_ports: "{{ (octavia_num_instances | int) * 10 }}" # at least instances * 10 +octavia_num_security_group_rules: "{{ (octavia_num_secgroups | int) * 100 }}" ## Tunable overrides octavia_octavia_conf_overrides: {} @@ -623,5 +643,5 @@ octavia_api_ssl_cert: /etc/octavia/certs/octavia-api.pem octavia_api_ssl_key: /etc/octavia/certs/octavia-api.key # Define user-provided SSL certificates -#octavia_api_user_ssl_cert: -#octavia_api_user_ssl_key: +# octavia_api_user_ssl_cert: +# octavia_api_user_ssl_key: diff --git a/meta/main.yml b/meta/main.yml index b230f55c..5a9fb02c 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -18,16 +18,21 @@ galaxy_info: description: Installation and setup of octavia company: Rackspace license: Apache2 - min_ansible_version: 2.2 + role_name: os_octavia + namespace: openstack + min_ansible_version: "2.10" platforms: - name: Debian versions: - - buster + - bullseye - name: Ubuntu versions: - - bionic - focal - categories: + - jammy + - name: EL + versions: + - "9" + galaxy_tags: - cloud - development - octavia diff --git a/tasks/main.yml b/tasks/main.yml index 4792b804..6aaf89bd 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -51,7 +51,8 @@ tags: - always -- include_role: +- name: Including osa.db_setup role + include_role: name: openstack.osa.db_setup apply: tags: @@ -77,7 +78,8 @@ tags: - always -- include_role: +- name: Including osa.mq_setup role + include_role: name: openstack.osa.mq_setup apply: tags: @@ -104,7 +106,8 @@ tags: - always -- import_tasks: octavia_pre_install.yml +- name: Importing octavia_pre_install tasks + import_tasks: octavia_pre_install.yml tags: - octavia-install @@ -135,6 +138,9 @@ src: /etc/octavia/certs/ dest: /etc/octavia/certs/client.pem regexp: '(client\.pem\.crt|client\.pem\.key)$' + owner: "{{ octavia_system_user_name }}" + group: "{{ octavia_system_group_name }}" + mode: "0640" notify: - Restart octavia services - Restart uwsgi services @@ -145,7 +151,8 @@ - octavia-install -- import_tasks: octavia_install.yml +- name: Importing octavia_install tasks + import_tasks: octavia_install.yml tags: - octavia-install @@ -169,16 +176,17 @@ systemd_tempd_prefix: openstack systemd_slice_name: "{{ octavia_system_slice_name }}" systemd_lock_dir: "{{ octavia_lock_dir }}" - systemd_CPUAccounting: true - systemd_BlockIOAccounting: true - systemd_MemoryAccounting: true - systemd_TasksAccounting: true + systemd_service_cpu_accounting: true + systemd_service_block_io_accounting: true + systemd_service_memory_accounting: true + systemd_service_tasks_accounting: true systemd_services: "{{ filtered_octavia_services }}" tags: - octavia-config - systemd-service -- include_role: +- name: Including osa.service_setup role + include_role: name: openstack.osa.service_setup apply: tags: @@ -218,7 +226,8 @@ tags: - always -- include_tasks: octavia_mgmt_network.yml +- name: Including octavia_mgmt_network tasks + include_tasks: octavia_mgmt_network.yml args: apply: tags: @@ -231,13 +240,15 @@ tags: - always -- import_tasks: octavia_security_group.yml +- name: Importing octavia_security_group tasks + import_tasks: octavia_security_group.yml when: - _octavia_is_first_play_host tags: - octavia-install -- include_tasks: octavia_keypair.yml +- name: Including octavia_keypair tasks + include_tasks: octavia_keypair.yml args: apply: tags: @@ -247,7 +258,8 @@ tags: - always -- include_tasks: octavia_flavor_create.yml +- name: Importing octavia_flavor_create tasks + include_tasks: octavia_flavor_create.yml args: apply: tags: @@ -259,24 +271,28 @@ tags: - always -- import_tasks: octavia_post_install.yml +- name: Importing octavia_post_install tasks + import_tasks: octavia_post_install.yml tags: - octavia-install - octavia-config -- import_tasks: octavia_db_sync.yml +- name: Importing octavia_db_sync tasks + import_tasks: octavia_db_sync.yml when: - _octavia_is_first_play_host tags: - octavia-install -- import_tasks: octavia_policy.yml +- name: Importing octavia_policy tasks + import_tasks: octavia_policy.yml tags: - octavia-install - octavia-config - octavia-policy-override -- include_tasks: octavia_amp_image.yml +- name: Including octavia_amp_image tasks + include_tasks: octavia_amp_image.yml args: apply: tags: diff --git a/tasks/octavia_amp_image.yml b/tasks/octavia_amp_image.yml index eee8998d..90b2b80e 100644 --- a/tasks/octavia_amp_image.yml +++ b/tasks/octavia_amp_image.yml @@ -34,6 +34,7 @@ get_url: url: "{{ octavia_artefact_url }}" dest: "{{ octavia_amp_image_path }}" + mode: "0644" retries: 10 delay: 10 register: octavia_download_result @@ -74,6 +75,7 @@ --private --project {{ octavia_service_project_name }} amphora-x64-haproxy + changed_when: false - name: Delete old image from glance openstack.cloud.image: diff --git a/tasks/octavia_install.yml b/tasks/octavia_install.yml index 5d0a88c8..87f43837 100644 --- a/tasks/octavia_install.yml +++ b/tasks/octavia_install.yml @@ -6,6 +6,7 @@ section: "octavia" option: "install_method" value: "{{ octavia_install_method }}" + mode: "0644" - name: Refresh local facts to ensure the octavia section is present setup: @@ -33,8 +34,11 @@ venv_install_destination_path: "{{ octavia_bin | dirname }}" venv_install_distro_package_list: "{{ octavia_distro_packages }}" venv_pip_install_args: "{{ octavia_pip_install_args }}" - venv_pip_packages: "{{ octavia_pip_packages | union(octavia_user_pip_packages) + - (octavia_oslomsg_amqp1_enabled | bool) | ternary(octavia_optional_oslomsg_amqp1_pip_packages, []) }}" + venv_pip_packages: >- + {{ + octavia_pip_packages | union(octavia_user_pip_packages) + + (octavia_oslomsg_amqp1_enabled | bool) | ternary(octavia_optional_oslomsg_amqp1_pip_packages, []) + }} venv_facts_when_changed: - section: "octavia" option: "venv_tag" diff --git a/tasks/octavia_keypair.yml b/tasks/octavia_keypair.yml index eb60daac..85fe5664 100644 --- a/tasks/octavia_keypair.yml +++ b/tasks/octavia_keypair.yml @@ -35,6 +35,7 @@ copy: content: "{{ _octavia_keypair['keypair']['private_key'] }}" dest: "{{ lookup('env', 'HOME') }}/.ssh/{{ octavia_ssh_key_name }}" + mode: "0600" delegate_to: localhost when: - _octavia_keypair is changed diff --git a/tasks/octavia_post_install.yml b/tasks/octavia_post_install.yml index 13f8e4ae..fa3591de 100644 --- a/tasks/octavia_post_install.yml +++ b/tasks/octavia_post_install.yml @@ -15,7 +15,7 @@ # iptables module doesn't see empty string as a null value so this is the only # way to get a configurable rule definition in right now -- name: iptables rules +- name: IPtables rules iptables: "{{ item }}" with_items: "{{ octavia_iptables_rules }}" when: octavia_ip_tables_fw | bool @@ -23,13 +23,15 @@ # This is totally odd: If you run the commands via run-parts (as the script # in the distro does) they return 1; but do their job. If you run them # directly they work. Ignoring errors for now -- -- name: save iptables rules (Debian/Ubuntu) +- name: Save iptables rules (Debian/Ubuntu) command: netfilter-persistent save + changed_when: false failed_when: false when: ansible_facts['os_family'] == 'Debian' -- name: save iptables rules (CentOS) +- name: Save iptables rules (CentOS) shell: iptables-save > /etc/sysconfig/iptables + changed_when: false when: - ansible_facts['distribution'] == 'CentOS' diff --git a/tasks/octavia_pre_install.yml b/tasks/octavia_pre_install.yml index 9948fb97..076a6995 100644 --- a/tasks/octavia_pre_install.yml +++ b/tasks/octavia_pre_install.yml @@ -33,9 +33,9 @@ file: path: "{{ item.path }}" state: directory - owner: "{{ item.owner|default(octavia_system_user_name) }}" - group: "{{ item.group|default(octavia_system_group_name) }}" - mode: "{{ item.mode|default('0755') }}" + owner: "{{ item.owner | default(octavia_system_user_name) }}" + group: "{{ item.group | default(octavia_system_group_name) }}" + mode: "{{ item.mode | default('0755') }}" with_items: - { path: "/openstack", owner: "root", group: "root" } - { path: "/openstack/venvs", owner: "root", group: "root" } diff --git a/vars/main.yml b/vars/main.yml index 64822d21..d9b10d42 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -13,7 +13,11 @@ # See the License for the specific language governing permissions and # limitations under the License. -_octavia_is_first_play_host: "{{ (octavia_services['octavia-api']['group'] in group_names and inventory_hostname == (groups[octavia_services['octavia-api']['group']] | intersect(ansible_play_hosts)) | first) | bool }}" +_octavia_is_first_play_host: >- + {{ + (octavia_services['octavia-api']['group'] in group_names and + inventory_hostname == (groups[octavia_services['octavia-api']['group']] | intersect(ansible_play_hosts)) | first) | bool + }} # # Compile a list of the services on a host based on whether @@ -65,14 +69,14 @@ uwsgi_octavia_services: |- {{ services }} _octavia_legacy_policies: - "context_is_admin": "role:admin or role:load-balancer_admin" - "admin_or_owner": "is_admin:True or project_id:%(project_id)s" - "load-balancer:read": "rule:admin_or_owner" - "load-balancer:read-global": "is_admin:True" - "load-balancer:write": "rule:admin_or_owner" - "load-balancer:read-quota": "rule:admin_or_owner" - "load-balancer:read-quota-global": "is_admin:True" - "load-balancer:write-quota": "is_admin:True" + "context_is_admin": "role:admin or role:load-balancer_admin" + "admin_or_owner": "is_admin:True or project_id:%(project_id)s" + "load-balancer:read": "rule:admin_or_owner" + "load-balancer:read-global": "is_admin:True" + "load-balancer:write": "rule:admin_or_owner" + "load-balancer:read-quota": "rule:admin_or_owner" + "load-balancer:read-quota-global": "is_admin:True" + "load-balancer:write-quota": "is_admin:True" _octavia_jobboard_driver_map: zookeeper: zookeeper_taskflow_driver