From d94e57f17bc18618306fcb9d9fb11593ed71f8ec Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Mon, 17 Jul 2023 15:38:00 +0200 Subject: [PATCH] Fix linters and metadata With update of ansible-lint to version >=6.0.0 a lot of new linters were added, that enabled by default. In order to comply with linter rules we're applying changes to the role. With that we also update metdata to reflect current state. Change-Id: Id8215882ee528d4c3055479e770c7432616649ba --- defaults/main.yml | 76 +++++++++++++++++++++------------- meta/main.yml | 13 ++++-- tasks/main.yml | 50 ++++++++++++++-------- tasks/octavia_amp_image.yml | 2 + tasks/octavia_install.yml | 8 +++- tasks/octavia_keypair.yml | 1 + tasks/octavia_post_install.yml | 8 ++-- tasks/octavia_pre_install.yml | 6 +-- vars/main.yml | 22 ++++++---- 9 files changed, 120 insertions(+), 66 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 51967402..a4eafd66 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -20,7 +20,11 @@ debug: False # for the service setup. The host must already have # clouds.yaml properly configured. octavia_service_setup_host: "{{ openstack_service_setup_host | default('localhost') }}" -octavia_service_setup_host_python_interpreter: "{{ openstack_service_setup_host_python_interpreter | default((octavia_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable'])) }}" +octavia_service_setup_host_python_interpreter: >- + {{ + openstack_service_setup_host_python_interpreter | default( + (octavia_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable'])) + }} # Set installation method. octavia_install_method: "{{ service_install_method | default('source') }}" @@ -42,7 +46,8 @@ octavia_package_state: "{{ package_state | default('latest') }}" octavia_git_repo: https://opendev.org/openstack/octavia octavia_git_install_branch: master -octavia_upper_constraints_url: "{{ requirements_git_url | default('https://releases.openstack.org/constraints/upper/' ~ requirements_git_install_branch | default('master')) }}" +octavia_upper_constraints_url: >- + {{ requirements_git_url | default('https://releases.openstack.org/constraints/upper/' ~ requirements_git_install_branch | default('master')) }} octavia_git_constraints: - "--constraint {{ octavia_upper_constraints_url }}" @@ -67,7 +72,11 @@ octavia_cinder_volume_type: "volumes-hdd" ## Database info octavia_db_setup_host: "{{ openstack_db_setup_host | default('localhost') }}" -octavia_db_setup_python_interpreter: "{{ openstack_db_setup_python_interpreter | default((octavia_db_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable'])) }}" +octavia_db_setup_python_interpreter: >- + {{ + openstack_db_setup_python_interpreter | default( + (octavia_db_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable'])) + }} octavia_galera_address: "{{ galera_address | default('127.0.0.1') }}" octavia_galera_user: octavia octavia_galera_database: octavia @@ -75,7 +84,7 @@ octavia_galera_persistence_database: octavia_persistence octavia_galera_use_ssl: "{{ galera_use_ssl | default(False) }}" octavia_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('') }}" octavia_db_max_overflow: "{{ openstack_db_max_overflow | default('50') }}" -octavia_db_max_pool_size: "{{ openstack_db_max_pool_size | default('5') }}" +octavia_db_max_pool_size: "{{ openstack_db_max_pool_size | default('5') }}" octavia_db_pool_timeout: "{{ openstack_db_pool_timeout | default('30') }}" octavia_db_connection_recycle_time: "{{ openstack_db_connection_recycle_time | default('600') }}" octavia_galera_port: "{{ galera_port | default('3306') }}" @@ -106,7 +115,8 @@ octavia_oslomsg_rpc_ssl_ca_file: "{{ oslomsg_rpc_ssl_ca_file | default('') }}" # Notify octavia_oslomsg_notify_host_group: "{{ oslomsg_notify_host_group | default('rabbitmq_all') }}" -octavia_oslomsg_notify_setup_host: "{{ (octavia_oslomsg_notify_host_group in groups) | ternary(groups[octavia_oslomsg_notify_host_group][0], 'localhost') }}" +octavia_oslomsg_notify_setup_host: >- + {{ (octavia_oslomsg_notify_host_group in groups) | ternary(groups[octavia_oslomsg_notify_host_group][0], 'localhost') }} octavia_oslomsg_notify_transport: "{{ oslomsg_notify_transport | default('rabbit') }}" octavia_oslomsg_notify_servers: "{{ oslomsg_notify_servers | default('127.0.0.1') }}" octavia_oslomsg_notify_port: "{{ oslomsg_notify_port | default('5672') }}" @@ -279,17 +289,21 @@ octavia_security_group_rule_cidr: "{{ octavia_management_net_subnet_cidr }}" octavia_ssh_enabled: False octavia_ssh_key_name: octavia_key octavia_keypair_setup_host: "{{ openstack_service_setup_host | default('localhost') }}" -octavia_keypair_setup_host_python_interpreter: "{{ openstack_service_setup_host_python_interpreter | default((octavia_keypair_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable'])) }}" +octavia_keypair_setup_host_python_interpreter: >- + {{ + openstack_service_setup_host_python_interpreter | default((octavia_keypair_setup_host == 'localhost') | ternary( + ansible_playbook_python, ansible_facts['python']['executable'])) + }} # port the agent listens on octavia_agent_port: "9443" octavia_health_manager_port: 5555 -#Octavia Nova flavor +# Octavia Nova flavor octavia_amp_flavor_name: "m1.amphora" octavia_amp_ram: 1024 octavia_amp_vcpu: 1 octavia_amp_disk: 20 -#octavia_amp_extra_specs: +# octavia_amp_extra_specs: # only increase when it's a really busy system since this is by deployed host, # e.g. 3 hosts, 5 workers (this param) per host, results in 15 worker total @@ -337,7 +351,7 @@ octavia_amp_availability_zone: nova # dest: "/etc/octavia/templates/macros.cfg.j2" octavia_user_haproxy_templates: {} # Path of custom haproxy template file -#octavia_haproxy_amphora_template: /etc/octavia/templates/haproxy.cfg.j2 +# octavia_haproxy_amphora_template: /etc/octavia/templates/haproxy.cfg.j2 # Name of the Octavia management network in Neutron octavia_neutron_management_network_name: lbaas-mgmt @@ -346,7 +360,7 @@ octavia_provider_network_name: lbaas # Network type octavia_provider_network_type: flat # Network segmentation ID if vlan, gre... -#octavia_provider_segmentation_id: +# octavia_provider_segmentation_id: # Network CIDR octavia_management_net_subnet_cidr: 172.29.232.0/22 # Example allocation range: @@ -359,13 +373,18 @@ octavia_service_net_setup: True # This should match net_name from provider_networks structure in openstack_user_config octavia_provider_inventory_net_name: "{{ octavia_provider_network_name }}" # This gets container managment network structure based on octavia_provider_inventory_net_name -octavia_provider_network: "{{ provider_networks|map(attribute='network')|selectattr('net_name','defined')|selectattr('net_name', 'equalto', octavia_provider_inventory_net_name)|list|first }}" +octavia_provider_network: >- + {{ provider_networks | map(attribute='network') | selectattr('net_name', 'defined') | selectattr( + 'net_name', 'equalto', octavia_provider_inventory_net_name) | list | first + }} # The name of the network address pool octavia_container_network_name: "{{ octavia_provider_network['ip_from_q'] }}_address" octavia_hm_group: "octavia-health-manager" # Note: We use some heuristics here but if you do anything special make sure to use the # ip addresses on the right network. This will use the container networking to figure out the ip -octavia_hm_hosts: "{% for host in groups[octavia_hm_group] %}{{ hostvars[host]['container_networks'][octavia_container_network_name]['address'] }}{% if not loop.last %},{% endif %}{% endfor %}" +octavia_hm_hosts: >- + {% for host in groups[octavia_hm_group] %}{{ hostvars[host]['container_networks'][octavia_container_network_name]['address'] }}{% + if not loop.last %},{% endif %}{% endfor %} # Set this to the right container port aka the eth you connect to the octavia # management network octavia_container_interface: "{{ octavia_provider_network.container_interface }}" @@ -382,7 +401,7 @@ octavia_iptables_rules: - # Allow existing connections: chain: INPUT in_interface: "{{ octavia_container_interface }}" - ctstate: RELATED,ESTABLISHED + ctstate: RELATED,ESTABLISHED jump: ACCEPT - # Allow heartbeat: chain: INPUT @@ -406,7 +425,7 @@ octavia_iptables_rules: - # Allow existing connections chain: INPUT in_interface: "{{ octavia_container_interface }}" - ctstate: RELATED,ESTABLISHED + ctstate: RELATED,ESTABLISHED jump: ACCEPT ip_version: ipv6 - # Allow heartbeat @@ -429,7 +448,8 @@ octavia_iptables_rules: # uWSGI Settings octavia_wsgi_processes_max: 16 -octavia_wsgi_processes: "{{ [[(ansible_facts['processor_vcpus']//ansible_facts['processor_threads_per_core'])|default(1), 1] | max * 2, octavia_wsgi_processes_max] | min }}" +octavia_wsgi_processes: >- + {{ [[(ansible_facts['processor_vcpus'] // ansible_facts['processor_threads_per_core']) | default(1), 1] | max * 2, octavia_wsgi_processes_max] | min }} octavia_wsgi_threads: 1 octavia_uwsgi_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}" octavia_uwsgi_tls: @@ -578,27 +598,27 @@ octavia_cert_install_certificates: condition: "{{ octavia_generate_certs | bool }}" # Custom client CA -#octavia_client_ca: "{{ octavia_cert_dir }}/ca_01.pem" +# octavia_client_ca: "{{ octavia_cert_dir }}/ca_01.pem" ## Custom client certs -#octavia_client_cert: "{{ octavia_cert_dir }}/client.pem" -#octavia_client_key: "{{ octavia_cert_dir }}/client.key.pem" +# octavia_client_cert: "{{ octavia_cert_dir }}/client.pem" +# octavia_client_key: "{{ octavia_cert_dir }}/client.key.pem" ## server -#octavia_server_ca: "{{ octavia_ca_certificate }}" +# octavia_server_ca: "{{ octavia_ca_certificate }}" ## ca certs -#octavia_ca_private_key: "{{ octavia_cert_dir }}/private/cakey.pem" +# octavia_ca_private_key: "{{ octavia_cert_dir }}/private/cakey.pem" octavia_ca_private_key_passphrase: "{{ octavia_cert_client_password }}" -#octavia_ca_certificate: "{{ octavia_cert_dir }}/ca_server_01.pem" +# octavia_ca_certificate: "{{ octavia_cert_dir }}/ca_server_01.pem" # Quotas for the Octavia user - assuming active/passive topology octavia_num_instances: 10000 # 5000 LB in active/passive -octavia_ram: "{{ (octavia_num_instances|int)*1024 }}" -octavia_num_server_groups: "{{ ((octavia_num_instances|int)*0.5)|int|abs }}" +octavia_ram: "{{ (octavia_num_instances | int) * 1024 }}" +octavia_num_server_groups: "{{ ((octavia_num_instances | int) * 0.5) | int | abs }}" octavia_num_server_group_members: 50 octavia_num_cores: "{{ octavia_num_instances }}" -octavia_num_secgroups: "{{ (octavia_num_instances|int)*1.5|int|abs }}" # average 3 listener per lb -octavia_num_ports: "{{ (octavia_num_instances|int)*10 }}" # at least instances * 10 -octavia_num_security_group_rules: "{{ (octavia_num_secgroups|int)*100 }}" +octavia_num_secgroups: "{{ (octavia_num_instances | int) * 1.5 | int | abs }}" # average 3 listener per lb +octavia_num_ports: "{{ (octavia_num_instances | int) * 10 }}" # at least instances * 10 +octavia_num_security_group_rules: "{{ (octavia_num_secgroups | int) * 100 }}" ## Tunable overrides octavia_octavia_conf_overrides: {} @@ -623,5 +643,5 @@ octavia_api_ssl_cert: /etc/octavia/certs/octavia-api.pem octavia_api_ssl_key: /etc/octavia/certs/octavia-api.key # Define user-provided SSL certificates -#octavia_api_user_ssl_cert: -#octavia_api_user_ssl_key: +# octavia_api_user_ssl_cert: +# octavia_api_user_ssl_key: diff --git a/meta/main.yml b/meta/main.yml index b230f55c..5a9fb02c 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -18,16 +18,21 @@ galaxy_info: description: Installation and setup of octavia company: Rackspace license: Apache2 - min_ansible_version: 2.2 + role_name: os_octavia + namespace: openstack + min_ansible_version: "2.10" platforms: - name: Debian versions: - - buster + - bullseye - name: Ubuntu versions: - - bionic - focal - categories: + - jammy + - name: EL + versions: + - "9" + galaxy_tags: - cloud - development - octavia diff --git a/tasks/main.yml b/tasks/main.yml index 4792b804..6aaf89bd 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -51,7 +51,8 @@ tags: - always -- include_role: +- name: Including osa.db_setup role + include_role: name: openstack.osa.db_setup apply: tags: @@ -77,7 +78,8 @@ tags: - always -- include_role: +- name: Including osa.mq_setup role + include_role: name: openstack.osa.mq_setup apply: tags: @@ -104,7 +106,8 @@ tags: - always -- import_tasks: octavia_pre_install.yml +- name: Importing octavia_pre_install tasks + import_tasks: octavia_pre_install.yml tags: - octavia-install @@ -135,6 +138,9 @@ src: /etc/octavia/certs/ dest: /etc/octavia/certs/client.pem regexp: '(client\.pem\.crt|client\.pem\.key)$' + owner: "{{ octavia_system_user_name }}" + group: "{{ octavia_system_group_name }}" + mode: "0640" notify: - Restart octavia services - Restart uwsgi services @@ -145,7 +151,8 @@ - octavia-install -- import_tasks: octavia_install.yml +- name: Importing octavia_install tasks + import_tasks: octavia_install.yml tags: - octavia-install @@ -169,16 +176,17 @@ systemd_tempd_prefix: openstack systemd_slice_name: "{{ octavia_system_slice_name }}" systemd_lock_dir: "{{ octavia_lock_dir }}" - systemd_CPUAccounting: true - systemd_BlockIOAccounting: true - systemd_MemoryAccounting: true - systemd_TasksAccounting: true + systemd_service_cpu_accounting: true + systemd_service_block_io_accounting: true + systemd_service_memory_accounting: true + systemd_service_tasks_accounting: true systemd_services: "{{ filtered_octavia_services }}" tags: - octavia-config - systemd-service -- include_role: +- name: Including osa.service_setup role + include_role: name: openstack.osa.service_setup apply: tags: @@ -218,7 +226,8 @@ tags: - always -- include_tasks: octavia_mgmt_network.yml +- name: Including octavia_mgmt_network tasks + include_tasks: octavia_mgmt_network.yml args: apply: tags: @@ -231,13 +240,15 @@ tags: - always -- import_tasks: octavia_security_group.yml +- name: Importing octavia_security_group tasks + import_tasks: octavia_security_group.yml when: - _octavia_is_first_play_host tags: - octavia-install -- include_tasks: octavia_keypair.yml +- name: Including octavia_keypair tasks + include_tasks: octavia_keypair.yml args: apply: tags: @@ -247,7 +258,8 @@ tags: - always -- include_tasks: octavia_flavor_create.yml +- name: Importing octavia_flavor_create tasks + include_tasks: octavia_flavor_create.yml args: apply: tags: @@ -259,24 +271,28 @@ tags: - always -- import_tasks: octavia_post_install.yml +- name: Importing octavia_post_install tasks + import_tasks: octavia_post_install.yml tags: - octavia-install - octavia-config -- import_tasks: octavia_db_sync.yml +- name: Importing octavia_db_sync tasks + import_tasks: octavia_db_sync.yml when: - _octavia_is_first_play_host tags: - octavia-install -- import_tasks: octavia_policy.yml +- name: Importing octavia_policy tasks + import_tasks: octavia_policy.yml tags: - octavia-install - octavia-config - octavia-policy-override -- include_tasks: octavia_amp_image.yml +- name: Including octavia_amp_image tasks + include_tasks: octavia_amp_image.yml args: apply: tags: diff --git a/tasks/octavia_amp_image.yml b/tasks/octavia_amp_image.yml index eee8998d..90b2b80e 100644 --- a/tasks/octavia_amp_image.yml +++ b/tasks/octavia_amp_image.yml @@ -34,6 +34,7 @@ get_url: url: "{{ octavia_artefact_url }}" dest: "{{ octavia_amp_image_path }}" + mode: "0644" retries: 10 delay: 10 register: octavia_download_result @@ -74,6 +75,7 @@ --private --project {{ octavia_service_project_name }} amphora-x64-haproxy + changed_when: false - name: Delete old image from glance openstack.cloud.image: diff --git a/tasks/octavia_install.yml b/tasks/octavia_install.yml index 5d0a88c8..87f43837 100644 --- a/tasks/octavia_install.yml +++ b/tasks/octavia_install.yml @@ -6,6 +6,7 @@ section: "octavia" option: "install_method" value: "{{ octavia_install_method }}" + mode: "0644" - name: Refresh local facts to ensure the octavia section is present setup: @@ -33,8 +34,11 @@ venv_install_destination_path: "{{ octavia_bin | dirname }}" venv_install_distro_package_list: "{{ octavia_distro_packages }}" venv_pip_install_args: "{{ octavia_pip_install_args }}" - venv_pip_packages: "{{ octavia_pip_packages | union(octavia_user_pip_packages) + - (octavia_oslomsg_amqp1_enabled | bool) | ternary(octavia_optional_oslomsg_amqp1_pip_packages, []) }}" + venv_pip_packages: >- + {{ + octavia_pip_packages | union(octavia_user_pip_packages) + + (octavia_oslomsg_amqp1_enabled | bool) | ternary(octavia_optional_oslomsg_amqp1_pip_packages, []) + }} venv_facts_when_changed: - section: "octavia" option: "venv_tag" diff --git a/tasks/octavia_keypair.yml b/tasks/octavia_keypair.yml index eb60daac..85fe5664 100644 --- a/tasks/octavia_keypair.yml +++ b/tasks/octavia_keypair.yml @@ -35,6 +35,7 @@ copy: content: "{{ _octavia_keypair['keypair']['private_key'] }}" dest: "{{ lookup('env', 'HOME') }}/.ssh/{{ octavia_ssh_key_name }}" + mode: "0600" delegate_to: localhost when: - _octavia_keypair is changed diff --git a/tasks/octavia_post_install.yml b/tasks/octavia_post_install.yml index 13f8e4ae..fa3591de 100644 --- a/tasks/octavia_post_install.yml +++ b/tasks/octavia_post_install.yml @@ -15,7 +15,7 @@ # iptables module doesn't see empty string as a null value so this is the only # way to get a configurable rule definition in right now -- name: iptables rules +- name: IPtables rules iptables: "{{ item }}" with_items: "{{ octavia_iptables_rules }}" when: octavia_ip_tables_fw | bool @@ -23,13 +23,15 @@ # This is totally odd: If you run the commands via run-parts (as the script # in the distro does) they return 1; but do their job. If you run them # directly they work. Ignoring errors for now -- -- name: save iptables rules (Debian/Ubuntu) +- name: Save iptables rules (Debian/Ubuntu) command: netfilter-persistent save + changed_when: false failed_when: false when: ansible_facts['os_family'] == 'Debian' -- name: save iptables rules (CentOS) +- name: Save iptables rules (CentOS) shell: iptables-save > /etc/sysconfig/iptables + changed_when: false when: - ansible_facts['distribution'] == 'CentOS' diff --git a/tasks/octavia_pre_install.yml b/tasks/octavia_pre_install.yml index 9948fb97..076a6995 100644 --- a/tasks/octavia_pre_install.yml +++ b/tasks/octavia_pre_install.yml @@ -33,9 +33,9 @@ file: path: "{{ item.path }}" state: directory - owner: "{{ item.owner|default(octavia_system_user_name) }}" - group: "{{ item.group|default(octavia_system_group_name) }}" - mode: "{{ item.mode|default('0755') }}" + owner: "{{ item.owner | default(octavia_system_user_name) }}" + group: "{{ item.group | default(octavia_system_group_name) }}" + mode: "{{ item.mode | default('0755') }}" with_items: - { path: "/openstack", owner: "root", group: "root" } - { path: "/openstack/venvs", owner: "root", group: "root" } diff --git a/vars/main.yml b/vars/main.yml index 64822d21..d9b10d42 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -13,7 +13,11 @@ # See the License for the specific language governing permissions and # limitations under the License. -_octavia_is_first_play_host: "{{ (octavia_services['octavia-api']['group'] in group_names and inventory_hostname == (groups[octavia_services['octavia-api']['group']] | intersect(ansible_play_hosts)) | first) | bool }}" +_octavia_is_first_play_host: >- + {{ + (octavia_services['octavia-api']['group'] in group_names and + inventory_hostname == (groups[octavia_services['octavia-api']['group']] | intersect(ansible_play_hosts)) | first) | bool + }} # # Compile a list of the services on a host based on whether @@ -65,14 +69,14 @@ uwsgi_octavia_services: |- {{ services }} _octavia_legacy_policies: - "context_is_admin": "role:admin or role:load-balancer_admin" - "admin_or_owner": "is_admin:True or project_id:%(project_id)s" - "load-balancer:read": "rule:admin_or_owner" - "load-balancer:read-global": "is_admin:True" - "load-balancer:write": "rule:admin_or_owner" - "load-balancer:read-quota": "rule:admin_or_owner" - "load-balancer:read-quota-global": "is_admin:True" - "load-balancer:write-quota": "is_admin:True" + "context_is_admin": "role:admin or role:load-balancer_admin" + "admin_or_owner": "is_admin:True or project_id:%(project_id)s" + "load-balancer:read": "rule:admin_or_owner" + "load-balancer:read-global": "is_admin:True" + "load-balancer:write": "rule:admin_or_owner" + "load-balancer:read-quota": "rule:admin_or_owner" + "load-balancer:read-quota-global": "is_admin:True" + "load-balancer:write-quota": "is_admin:True" _octavia_jobboard_driver_map: zookeeper: zookeeper_taskflow_driver