From 09d805bc232941b8837034e6082452bb110ac38e Mon Sep 17 00:00:00 2001 From: Jonathan Rosser Date: Tue, 16 Jul 2024 18:08:25 +0100 Subject: [PATCH] Use hosts setup playbooks from openstack-ansible-plugins repo Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/924257 Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/927826 Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/928592 Change-Id: Ie03b41eeb02e3f5e31900926e133d1b34ecb0ac4 --- playbooks/certificate-authority.yml | 17 +--- playbooks/certificate-generate.yml | 20 +---- playbooks/certificate-ssh-authority.yml | 18 +---- playbooks/containers-deploy.yml | 6 +- playbooks/containers-lxc-create.yml | 102 +----------------------- playbooks/containers-lxc-destroy.yml | 83 +------------------ playbooks/containers-lxc-host.yml | 49 +----------- playbooks/openstack-hosts-setup.yml | 68 +--------------- playbooks/security-hardening.yml | 33 +------- playbooks/setup-hosts.yml | 27 +------ 10 files changed, 21 insertions(+), 402 deletions(-) diff --git a/playbooks/certificate-authority.yml b/playbooks/certificate-authority.yml index cc15343286..6c8072de69 100644 --- a/playbooks/certificate-authority.yml +++ b/playbooks/certificate-authority.yml @@ -12,18 +12,5 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Create CA certificates - hosts: "{{ openstack_pki_setup_host | default('localhost') }}" - gather_facts: "{{ osa_gather_facts | default(True) }}" - tags: - - always - tasks: - - name: "Create CA certificates" - include_role: - name: pki - tasks_from: main_ca.yml - vars: - pki_dir: "{{ openstack_pki_dir }}" - pki_create_ca: "{{ openstack_pki_authorities | default([]) | length > 0 }}" - pki_regen_ca: "{{ openstack_pki_regen_ca }}" - pki_authorities: "{{ openstack_pki_authorities }}" +- name: Import certificate_authority playbook + import_playbook: openstack.osa.certificate_authority diff --git a/playbooks/certificate-generate.yml b/playbooks/certificate-generate.yml index aab5b2aba5..d589437274 100644 --- a/playbooks/certificate-generate.yml +++ b/playbooks/certificate-generate.yml @@ -12,21 +12,5 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Generate any extra user certificates - hosts: "{{ openstack_pki_setup_host | default('localhost') }}" - gather_facts: "{{ osa_gather_facts | default(True) }}" - tags: - - always - tasks: - - name: Create user certificates - include_role: - name: pki - tasks_from: main_certs.yml - vars: - pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}" - pki_dir: "{{ openstack_pki_dir }}" - cert_dir: "{{ pki_dir }}/certs" - pki_search_certificates_pattern: "user_pki_certificates_" - pki_regen_cert: "{{ user_pki_regen_cert | default(false) }}" - when: - - pki_create_certificates | default(true) +- name: Import certificate_generate playbook + import_playbook: openstack.osa.certificate_generate diff --git a/playbooks/certificate-ssh-authority.yml b/playbooks/certificate-ssh-authority.yml index acd539fb6e..cc1467ccd4 100644 --- a/playbooks/certificate-ssh-authority.yml +++ b/playbooks/certificate-ssh-authority.yml @@ -12,19 +12,5 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Create SSHD CA - hosts: "{{ openstack_ssh_keypairs_setup_host | default('localhost') }}" - gather_facts: "{{ osa_gather_facts | default(True) }}" - tags: - - always - - sshd-ca - tasks: - - name: "Create SSHD certificate authority" - include_role: - name: openstack.osa.ssh_keypairs - vars: - ssh_keypairs_setup_host: "{{ openstack_ssh_keypairs_setup_host | default('localhost') }}" - ssh_keypairs_dir: "{{ openstack_ssh_keypairs_dir }}" - ssh_keypairs: "{{ openstack_ssh_keypairs_authorities }}" - ssh_keypairs_install_authorities: false - ssh_keypairs_install_keypairs: false +- name: Import certificate_ssh_authority playbook + import_playbook: openstack.osa.certificate_ssh_authority diff --git a/playbooks/containers-deploy.yml b/playbooks/containers-deploy.yml index 7a6d14c833..886067e079 100644 --- a/playbooks/containers-deploy.yml +++ b/playbooks/containers-deploy.yml @@ -13,7 +13,5 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Import container hosts playbook - import_playbook: "containers-lxc-host.yml" -- name: Import containers create playbook - import_playbook: "containers-lxc-create.yml" +- name: Import containers_deploy playbook + import_playbook: openstack.osa.containers_deploy diff --git a/playbooks/containers-lxc-create.yml b/playbooks/containers-lxc-create.yml index b49d7acfae..57c8de5b5f 100644 --- a/playbooks/containers-lxc-create.yml +++ b/playbooks/containers-lxc-create.yml @@ -13,103 +13,5 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Set lxc containers group - hosts: "{{ container_group | default('all_containers') }}" - gather_facts: false - tasks: - - name: Setup installation variables - include_role: - name: openstack.osa.install_defaults - defaults_from: "{{ install_method }}" - public: true - apply: - tags: - - always - tags: - - always - - - name: Add hosts to dynamic inventory group - group_by: - key: lxc_containers - parents: all_lxc_containers - when: - - container_tech == 'lxc' - tags: - - always - - lxc-containers-create - -- name: Gather lxc hosts facts - hosts: "{{ lxc_host_group | default('lxc_hosts') }}" - gather_facts: true - tags: - - always - -- name: Create container(s) - hosts: all_lxc_containers - user: root - gather_facts: false - environment: "{{ deployment_environment_variables | default({}) }}" - tags: - - lxc-containers-create - pre_tasks: - - name: Setup installation variables - include_role: - name: openstack.osa.install_defaults - defaults_from: "{{ install_method }}" - public: true - apply: - tags: - - always - tags: - - always - roles: - - role: "lxc_container_create" - post_tasks: - - name: Wait for container connectivity - wait_for_connection: - connect_timeout: "{{ lxc_container_wait_params.connect_timeout | default(omit) }}" - delay: "{{ lxc_container_wait_params.delay | default(omit) }}" - sleep: "{{ lxc_container_wait_params.sleep | default(omit) }}" - timeout: "{{ lxc_container_wait_params.timeout | default(omit) }}" - - - name: Clear facts for new container(s) - meta: clear_facts - -- name: Gather lxc containers facts - hosts: all_lxc_containers - gather_facts: true - tags: - - always - -- name: Configure containers default software - hosts: all_lxc_containers - user: root - gather_facts: false - environment: "{{ deployment_environment_variables | default({}) }}" - tags: - - lxc-containers-create - pre_tasks: - - name: Check for a supported Operating System - assert: - that: - - (ansible_facts['distribution'] == 'Debian' and ansible_facts['distribution_release'] == 'bullseye') or - (ansible_facts['distribution'] == 'Debian' and ansible_facts['distribution_release'] == 'bookworm') or - (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_release'] == 'jammy') or - (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_release'] == 'noble') or - (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '9') - msg: > - The only supported platforms for this release are Debian 11 (Bullseye), Debian 12 (Bookworm) - Ubuntu 22.04 (Jammy), CentOS 9 Stream, and Rocky Linux 9. - - name: Setup installation variables - include_role: - name: openstack.osa.install_defaults - defaults_from: "{{ install_method }}" - public: true - apply: - tags: - - always - tags: - - always - roles: - - role: "openstack_hosts" - is_container: true +- name: Import containers_lxc_create playbook + import_playbook: openstack.osa.containers_lxc_create diff --git a/playbooks/containers-lxc-destroy.yml b/playbooks/containers-lxc-destroy.yml index 27bb90ae46..40070addfa 100644 --- a/playbooks/containers-lxc-destroy.yml +++ b/playbooks/containers-lxc-destroy.yml @@ -13,84 +13,5 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Set lxc containers group - hosts: "{{ container_group | default('all_containers') }}" - gather_facts: false - tasks: - - name: Add hosts to dynamic inventory group - group_by: - key: lxc_containers - parents: all_lxc_containers - when: - - container_tech == 'lxc' - tags: - - always - - lxc-containers-create - -- name: Destroy lxc containers - hosts: all_lxc_containers - gather_facts: false - user: root - tasks: - - name: Slurp machine-id - slurp: - src: "/etc/machine-id" - register: _container_machine_id - changed_when: false - failed_when: false - tags: - - always - - - name: Destroy a container - lxc_container: - name: "{{ container_name }}" - state: "absent" - delegate_to: "{{ physical_host }}" - when: - - force_containers_destroy | bool - - - name: Destroy container journal directories - vars: - container_machine_id: "{{ ((_container_machine_id.content | default('bm9uZQo=')) | b64decode).strip() }}" - file: - path: "/var/log/journal/{{ container_machine_id }}" - state: "absent" - delegate_to: "{{ physical_host }}" - when: - - not _container_machine_id is failed - - force_containers_destroy | bool - - - name: Destroy container service directories - file: - path: "{{ item }}" - state: "absent" - with_items: - - "/var/lib/lxc/{{ container_name }}" - delegate_to: "{{ physical_host }}" - when: - - force_containers_destroy | bool - - name: Destroy container data - file: - path: "{{ item }}" - state: "absent" - with_items: - - "/openstack/{{ container_name }}" - - "/openstack/backup/{{ container_name }}" - - "/openstack/log/{{ container_name }}" - - "/openstack/glusterd/{{ container_name }}" - - "/var/log/lxc/lxc-{{ container_name }}.log" - delegate_to: "{{ physical_host }}" - when: - - force_containers_destroy | bool - - force_containers_data_destroy | bool - vars_prompt: - - name: "force_containers_destroy" - prompt: "Are you sure you want to destroy the LXC containers?" - default: "no" - private: no - - name: "force_containers_data_destroy" - prompt: "Are you sure you want to destroy the LXC container data?" - default: "no" - private: no - tags: - - lxc-containers-destroy +- name: Import constainers_lxc_destroy playbook + import_playbook: openstack.osa.containers_lxc_destroy diff --git a/playbooks/containers-lxc-host.yml b/playbooks/containers-lxc-host.yml index b1cb29ba8a..712d1dffbc 100644 --- a/playbooks/containers-lxc-host.yml +++ b/playbooks/containers-lxc-host.yml @@ -13,50 +13,5 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Gather lxc hosts facts - hosts: "{{ lxc_host_group | default('lxc_hosts') }}" - gather_facts: "{{ osa_gather_facts | default(True) }}" - tags: - - always - -- name: Basic lxc host setup - hosts: "{{ lxc_host_group | default('lxc_hosts') }}" - user: root - gather_facts: false - serial: "{{ lxc_hosts_serial | default(['100%']) }}" - environment: "{{ deployment_environment_variables | default({}) }}" - tags: - - lxc-hosts - pre_tasks: - - name: Setup installation variables - include_role: - name: openstack.osa.install_defaults - defaults_from: "{{ install_method }}" - public: true - - - name: Check the state of the default LXC service log directory - stat: - path: "/var/log/lxc" - register: _lxc_log_dir - - name: Create the log aggregation parent directory - file: - path: "/openstack/log" - state: directory - mode: "0755" - - name: Move the existing folder to the log aggregation parent - command: "mv /var/log/lxc /openstack/log/{{ inventory_hostname }}-lxc" # noqa: no-changed-when - when: - - _lxc_log_dir.stat.isdir is defined - - _lxc_log_dir.stat.isdir | bool - - name: Create the new LXC service log directory - file: - path: "/openstack/log/{{ inventory_hostname }}-lxc" - state: directory - mode: "0755" - - name: Create the LXC service log aggregation link - file: - src: "/openstack/log/{{ inventory_hostname }}-lxc" - dest: "/var/log/lxc" - state: "link" - roles: - - role: "lxc_hosts" +- name: Import containers_lxc_host playbook + import_playbook: openstack.osa.containers_lxc_host diff --git a/playbooks/openstack-hosts-setup.yml b/playbooks/openstack-hosts-setup.yml index 4ba1512d4f..c17299e79b 100644 --- a/playbooks/openstack-hosts-setup.yml +++ b/playbooks/openstack-hosts-setup.yml @@ -13,69 +13,5 @@ # See the License for the specific language governing permissions and # limitations under the License. -# NOTE(mhayden): CentOS always has python (because of yum), but it's possible -# that Ubuntu nodes may not have python by default. Ansible doesn't work very -# well if Python isn't installed. -# -# Also, we can't use a 'when' to check for the ansible_facts['pkg_mgr'] here because -# we haven't gathered facts yet. -- name: Install Ansible prerequisites - hosts: "{{ openstack_host_group|default('hosts') }}" - gather_facts: false - user: root - pre_tasks: - - name: Ensure python is installed - register: result - raw: | - if which apt-get >/dev/null && ! which python >/dev/null ; then - if ! which python3 >/dev/null ; then - apt-get -y install python3 - fi - update-alternatives --install /usr/bin/python python /usr/bin/python3 10 - exit 2 - else - exit 0 - fi - changed_when: "result.rc == 2" - failed_when: "result.rc not in [0, 2]" - -- name: Gather host facts - hosts: "{{ openstack_host_group|default('hosts') }}" - gather_facts: "{{ osa_gather_facts | default(True) }}" - tags: - - always - -- name: Basic host setup - hosts: "{{ openstack_host_group|default('hosts') }}" - gather_facts: false - user: root - pre_tasks: - - name: Setup installation variables - include_role: - name: openstack.osa.install_defaults - defaults_from: "{{ install_method }}" - public: true - apply: - tags: - - always - tags: - - always - - - name: Check for a supported Operating System - assert: - that: - - (ansible_facts['distribution'] == 'Debian' and ansible_facts['distribution_release'] == 'bookworm') or - (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_release'] == 'jammy') or - (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_release'] == 'noble') or - (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '9') - msg: > - The only supported platforms for this release are Debian 12 (Bookworm) - Ubuntu 22.04 (Jammy), CentOS 9 Stream, and Rocky Linux 9. - roles: - - role: "openstack_hosts" - post_tasks: - - name: Ensure deploy host SSH connection is reset - meta: reset_connection - environment: "{{ deployment_environment_variables | default({}) }}" - tags: - - openstack-hosts +- name: Import openstack_hosts_setup playbook + import_playbook: openstack.osa.openstack_hosts_setup diff --git a/playbooks/security-hardening.yml b/playbooks/security-hardening.yml index 0e4a1c0a9b..9e6101201d 100644 --- a/playbooks/security-hardening.yml +++ b/playbooks/security-hardening.yml @@ -13,34 +13,5 @@ # See the License for the specific language governing permissions and # limitations under the License. -# As an additional safeguard, this playbook requires the -# 'apply_security_hardening' boolean set to True for it to apply security -# hardening standards to a system. - -- name: Gather security hardening facts - hosts: "{{ security_host_group|default('hosts') }}" - gather_facts: "{{ osa_gather_facts | default(True) }}" - tasks: - - name: Gather additional facts - include_role: - name: openstack.osa.gather_extra_facts - vars: - deployment_extra_facts_filter: ansible_mounts - deployment_extra_facts_subset: "!all,hardware" - when: osa_gather_facts | default(True) - tags: - - always - -- name: Apply security hardening configurations - hosts: "{{ security_host_group|default('hosts') }}" - gather_facts: false - user: root - pre_tasks: - tasks: - - name: Include security hardening role - include_role: - name: "ansible-hardening" - when: apply_security_hardening | bool - environment: "{{ deployment_environment_variables | default({}) }}" - tags: - - security +- name: Import security_hardening playbook + import_playbook: openstack.osa.security_hardening diff --git a/playbooks/setup-hosts.yml b/playbooks/setup-hosts.yml index 9b415071d8..70ddac52a9 100644 --- a/playbooks/setup-hosts.yml +++ b/playbooks/setup-hosts.yml @@ -1,5 +1,5 @@ --- -# Copyright 2014, Rackspace US, Inc. +# Copyright 2024, BBC R&D. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,26 +13,5 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Importing pre hook playbook - import_playbook: "{{ pre_setup_hosts_hook | default('hook-dummy.yml') }}" - -- name: Importing certificate-authority playbook - import_playbook: certificate-authority.yml - -- name: Importing certificate-ssh-authority playbook - import_playbook: certificate-ssh-authority.yml - -- name: Importing certificate-generate playbook - import_playbook: certificate-generate.yml - -- name: Importing openstack-hosts-setup playbook - import_playbook: openstack-hosts-setup.yml - -- name: Importing containers-deploy playbook - import_playbook: containers-deploy.yml - -- name: Importing security-hardening playbook - import_playbook: security-hardening.yml - -- name: Importing post hook playbook - import_playbook: "{{ post_setup_hosts_hook | default('hook-dummy.yml') }}" +- name: Importing certificate_authority playbook + import_playbook: openstack.osa.setup_hosts