This breaks the use of the ansible synchronize module
when the parameter use_ssh_args is true with an error
from ssh via rsync that there is an unknown parameter.
Removing the newline makes the synchronize module
work correctly.
Change-Id: Ib7fc3068ecc339e02d641196513c1b676a9a9f69
Enabling TLS on the internal VIP for existing deployments will cause
downtime until each client is configured to use HTTPS instead of HTTP.
To avoid downtime, it is recommended to enable
`openstack_service_accept_both_protocols` until all services are
configured correctly.
It allows haproxy frontends to accept both HTTP and HTTPS.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/864784
Change-Id: Ie6f5b73c54b0a6d1f661a9d4f33b8a301d8c4170
This patch aims to reduce confusion caused by a variable
`container_address` that's applicable for bare metal hosts. With that
it renames `is_container_address` to `is_management_address`
to be aligned with the purpose of the variable, as `container` part
raised confusion.
Change-Id: I314224f3376cf91e05680b11d225fdaf81ec32ab
This will allow the services to be cloned from github or a local
mirror by setting a small number of variables rather than overriding
every git repo URL individually.
Change-Id: I750d897e9e3c8ca161c0740c73cdc4c6e42b6440
We've switched all services to store logs to journald by default and
rsyslog roles are not used except really small amount of usecases that
also hardly valid as of today. With that we deprecate repos and remove
their usega to reduce maintenance load.
Change-Id: Iefd4143f83f4df44b917180000a1aa57161b2811
The RabbitMQ role defaults change in Yoga to enable the management
UI with TLS/HTTPS. This implicitly disables the HTTP port.
This commit adjusts the HAProxy config to take account of this
change and switch the port used accordingly. The
rabbitmq_management_ssl variable is also set explicitly to ensure
it is defined with appropriate scope.
Change-Id: I5a9f9855aa701d12bc3c9e2e7e9c651ff606c319
All references to Gentoo, SUSE, Debian stretch and Centos-7 are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible
Change-Id: I42e40adc20a122ea5bba292b1f6fea9e79b3c365
Package upgrade during normal operations might be risky since often
involve service restarts. It's better to avoid that when possible and
perform package upgrade only during major/minor upgrades. We change
default value of package_state and adjust doc and upgrade script to
reflect this change.
Change-Id: I9971a259a207b263df48a77d5ac74752f044873a
If wheels or requirements files are created on a secondary
repo server these cannot be modified/deleted by the primary
repo server when it comes back online as this uses rsync as the
'nginx' user. This patch allows the owner of the created files
to be set explicitly to avoid this issue.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-python_venv_build/+/804073
Change-Id: Ifdbac876013068855cd4405ca1bbacd262ec4d74
With minimal facts gathering we will experience failures while trying to
evaluate amount of threads for apis or mounts for hardening. So to avoid
gathering full hardware subset, we add common-task which will gather
only specific subset that can be additionally filtered.
Gathering processor or mounts subsent simply does not work with ansible
and result in full hardware subset as well.
Change-Id: Ia5802b4ec0b18271b8c5fbcc5574b484c5233a01
Ussuri is the last release that openstack-ansible will support Centos-7.
Remove this for the Victoria release.
Change-Id: Ief6cbb2d02bfdc4e6c3c0fbb0cc9ab5a3eab98c3
These addresses are given defaults of 0.0.0.0 in the role defaults
but in a deployment we know which address each service should bind to.
The variable container_address should hold the local mgmt network IP
address for either containerised or metal deployments.
This patch defines a new variable management_address which removes
confusion about container_address for metal deployments, and overrides
the role default bind addresses for all roles.
Depends-On: https://review.opendev.org/753638
Change-Id: I7471ff1da9602f67134e217f5427e492fa7a7814
The default is broken because lookup from a missing env var returns
an empty string. Unless the 2nd parameter 'true' is passed to
default, it only defaults undefined variables. An empty string is
not undefined, so the default never works.
In group_vars/all/all.yml, it doesn't matter that the default never
works, because openstack-ansible.rc always sets OSA_CONFIG_DIR.
In get-ansible-role-requirements.yml, it makes a difference, because
the first time this playbook runs during bootstrap,
openstack-ansible.rc will not be loaded yet. This means the default
user roles path is always going to be '/user-role-requirements.yml'
instead of '/etc/openstack_deploy/user-role-requirements.yml'.
Change-Id: Id9e53958daf9494e5baf9cd1e34ed6f83eefa5f4
This also adds variable `openstack_clone_root` which equals to
environment variable $OSA_CLONE_ROOT and defaults to `/opt/openstack-ansible`.
Change-Id: I9e0c980f80980c389e27d5b54077b08a596a33f4
Detect CentOS and deploy from source as python2, otherwise default to
python3 on all other distros.
Change-Id: Ic68dc0923a26ece68b1971648c62bb2e0c05c50b
In Queens, the hosts file management began occurring on all hosts
and containers because openstack_hosts role now runs on all inventory
items (prior to Queens, it only ran on 'hosts'). The flag for managing
the /etc/hosts management should now be moved to the 'all' group
vars.
Change-Id: I0a9e8e86cd1eb40f55d40eb291f49563a433fd82
In the previous repo build process, we had global constraints which
override upper constraints and anything set in the roles. This was
essential for two purposes:
1. To enable us to pin things that were not in upper constraints. eg: pip,
setuptools, wheel
2. To enable us to pin things which were in upper constraints, but broken.
This would usually be a temporary measure until upper constraints was
fixed.
This patch extracts the global pins from global-requirement-pins.txt
into a list and sets 'venv_build_global_constraints' to the resulting
list so that it is applied to all venvs built.
In order to reliably find this file without using a hard-coded path, we
implement a change to the wrapper script to set the path in it in a
similar manner to that implemented for the inventory path.
Depends-On: I9ae3ef19c863b9237a51d2fcd6f4ebce1a9ebad7
Change-Id: I138fe1c8ea80fe71244ab0dc6497cfc6d7bdf953
We have some basics wired up in order to use a different config.
directory for running OpenStack Ansible. However, a lot of those
are implemented as configuration argument to the dynamic inventory
script but that's impossible to pass normally when running Ansible.
This patch creates a new environment variable called OSA_CONFIG_DIR
which allows you to customize the directoy of your openstack_deploy
folder which means that you can use a deploy host for several diff.
environemnts.
Change-Id: Ia528ff449330fbb04be6cd0d03353fa3158e6694
The repo container's package cache causes quite a bit of confusion
given that it's a 'hidden' feature which catches deployers off-guard
when they already have their own cache configured. This is really
the kind of service which people should manage outside of OSA. It
also makes no sense if the deployer is using their own local mirror
which is a fairly common practise. Adding to that, it seems that it
is broken in bionic, causing massive delays in package installs.
Finally, it also adds to quite a bit of complexity due to the fact
that it's in a container - so in the playbooks prior to the container's
existence we have to detect whether it's there and add/remove the config
accordingly.
Let's just remove it and let deployers managing their own caching
infrastructure if they want it.
Depends-On: https://review.openstack.org/608631
Change-Id: Ia0fb41266a6d62073b02c8ad6fa97b8b7d408a67
With branching done earlier than the rc1 freeze, we needed
to bring the release notes from the updated roles into the
integrated repo.
On top of the changes needed for M1 is the version change.
The openstack SHAs will be updated in a separate commit.
Change-Id: I4d5211062966bc4fdb9f5d36eec46d9911012acd
Add new 'aio_distro_basekit' jobs to test the minimal basekit deployment
using distribution packages for the OpenStack services.
We can skip all repo-* related playbooks and roles since we are not
building pip packages for OpenStack services anymore. Finally, we can
populate the utility container using the distribution packages for the
OpenStack client instead of using the wheel packages.
Change-Id: Ia8c394123b5588fff8c4acbe1532ed5a6dc7e8ec
Depends-On: https://review.openstack.org/#/c/583161/
Depends-On: https://review.openstack.org/#/c/567530/
Depends-On: https://review.openstack.org/#/c/580455/
Implements: blueprint openstack-distribution-packages
Without this patch, inventories with hosts without the field
"properties" cannot be used. Currently, the group variable
resolution will fail when parsing properties.is_metal, as
properties wouldn't be defined.
This is a problem, because it forces deployers with an external
inventory to add a useless "properties" field for them.
This patch solves the problem by simplifying the conditions,
making them valid if the deployer has defined is_metal in its
inventory or not.
Change-Id: Ic09b455016dd3d4f7945900d13d37fdc86f80134
Now that master has a patch for releasing milestone 2, we can
unfreeze the ansible-role-requirements to allow role iterations.
The version of OSA has been bumped at the same time to be ready
for the next freeze.
Change-Id: Ibfd14d2113ff41d8548551881846cdfaa927d6d6
Depends-On: https://review.openstack.org/#/c/573394/
As part of cleaning inventory variables, we are
moving some of the variables to be created in
roles instead of the inventory, and removing
variables used only to create other variables and
nowhere else.
Change-Id: I8dfd1904de36ca2b9f163bd5447bfa40ddf4ca3a
Depends-On: I9a00e3bd5dca4581cb43bf298c4d792375b5252f
Depends-On: Icc0606ed948e3596d037b9159602e7b7b06311d8
Depends-On: I983a20d923384bf54cb0af924ec0a0f8ef4db191
The rsyslog role has served us well however there's now a better way
given the ability to remotely journal. This change disables the use of
the `rsyslog_client` and `server` roles unless journal remote is
unavailable. In this change the `rsyslog_client` interaction has been
moved into an include_tasks which is conditionally loaded when the
variable `rsyslog_client_enabled` is set to true. Additionally the
`rsyslog_server` role is disabled unless `rsyslog_server_enabled`
is set true. Using the new variables legacy functionality can be
enabled. By disabling the general rsyslog roles we'll lessen the
overall IO on the cloud and improve the speed of the deployment.
> NOTE: At this time there's no suitable package to install
"systemd-journal-remote" on opensuse so a conditional has been
added to ensure distributed log syncing remains functional on
all of our supported distros. Should a package be made
available for journal remote we can globally disable the
legacy rsyslog roles entirely by default.
Change-Id: Ice21667c6999d0ac86b2d7bde648a0375f890210
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
In order to continue testing from the head of the role repositories
to prepare for milestone 2, we revert the role freeze and set the
release to 18.0.0.0b2
Change-Id: I35b2eef362a0a53f2236cd2dab11778e44c85d48
This patch updates all the roles to the latest available stable
SHA's, copies the release notes from the updated roles into the
integrated repo, updates all the OpenStack Service SHA's, and
updates the appropriate python requirements pins.
Change-Id: I76277f47d9216dde91dac7248bb1adbf3805af20
The journal within systemd is able to be shipped from a physical hosts
to a centralized location. This change introduces
`systemd-journal-remote` which will ship all journals on the physical
host to the log host and store the journals under
"/var/log/journal/remote". This change gives deployers greater
visability into the cloud using the systemd built-ins.
> NOTE: This change is all accomplished in a playbook using our common
roles. While this could be moved into a role by itself, it would
be a waist of effort given how small this change is.
Given all services are inherently logging to the journal, this change
may allow us to one day deprecate or minimize the usage of our
rsyslog roles. If we were to remove the requirement for rsyslog to run
everywhere we could reduce overall internal cluster IO (CPU, network and
block) and remove the requirement for all services to ship log files from
all containers and hosts. This change is NOT modifying the integrated
logging architecture. At this time we're simply ensuring that the
journals on the physical host are co-located on the logging machines.
At this time there's no suitable package available for
systemd-journal-remote on suse so the playbook to install and setup
remote journalling is being omitted when the suse is detected. When a
suitable package is found the playbook omission should be removed.
Change-Id: I254d52df6303b7cc4d4071b4beaf347922b2616e
Related-Change: https://review.openstack.org/553707
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
Similar to the CentOS case, we should use 'present' instead of 'latest'
for the package state so we don't spend time resolving dependencies,
querying repos etc. The 'present' state can be further improved either
in the zypper itself or in the Ansible module.
Link: https://github.com/ansible/ansible/pull/37191
Link: https://bugzilla.opensuse.org/show_bug.cgi?id=1084525
Change-Id: I8a6598013714e468d19f4984288d2c746515b5ca
The CentOS 7 AIO jobs time out fairly frequently in the gates and
this patch switches the jobs to use the new aio_basekit scenario in
the hopes that jobs will complete more often.
This patch also sets SELinux to Permissive mode for CentOS 7 gate
testing. This can be changed back to Enforcing when CentOS 7's
SELinux policies are ready.
This patch also sets package_state to present for CentOS 7 jobs. This
is a temporary measure to ensure more of the gate jobs can finish on
time and we can expose deployment issues in the gates.
Change-Id: Ic478a7402fee3df0667f0d6fd9a714688808b2ec
This change adds an nspawn container driver which will enable deployers
to run clouds with systemd-nspawn instead of LXC. This adds "nspawn" to
as an option to the `container_tech` variable. To support this change,
The inventory generation tools have been updated to allow for a
new group named `nspawn_hosts`. All of the container connectivity and
setup are stored within the integrated repo under the new templates
directory.
The addition of "nspawn" container driver enables the ability for
deployers to change, or mix container technologies within a single
deployment without needing to change our well defined network
topology or storage layout.
Depends-On: I13d05ba8bcfe785257a9cf98dbdb6024ec937816
Change-Id: I41cfec63c423cd56a91c25dabae9aa1031c27e03
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This patch updates all the roles to the latest available stable
SHA's, copies the release notes from the updated roles into the
integrated repo.
The OpenStack services SHA's will be manually updated in another
patch.
Change-Id: I78d85f33926bc979f7d0df0adc8e8245bf1223ad
Now that milestone 3 is release, we can move back to using master
for the roles, to see fast changes.
Change-Id: Idce198cf45a49857b64cc13a0a7476b2d4e632ae
This patch updates all the roles to the latest available stable
SHA's, copies the release notes from the updated roles into the
integrated repo, updates all the OpenStack Service SHA's, and
updates the appropriate python requirements pins.
Change-Id: I5fea16a84c881d0e66b713cdb55c8dcabcb80491
Move the playbooks/inventory folder, group_vars, and host_vars to
inventory/ in the root of the OpenStack-Ansible repo. This helps better
organize the repo structure since playbooks/ will now only contain
playbooks, shared task files, and included repo package var files.
group_vars and host_vars are moved alongside the inventory since that's
the default place that Ansible expects those folders and to help better
prepare for Ansible 2.4 where multiple inventories can be loaded,
automatically including relative group and host var files.
Effected docs, scripts, and variables have been updated with the new
paths.
Change-Id: If50e2412c3fd6575d7041deb8ecc9480b04184cc
Jonathan Rosser