From 322415d3c4bcefb5d1e590b0e5699a8caec506d9 Mon Sep 17 00:00:00 2001
From: Brendan Shephard <bshephar@redhat.com>
Date: Mon, 13 Feb 2023 19:58:09 -0800
Subject: [PATCH] Add configure tasks for iscsid role

This patch adds configure task which replaces the iscsid configuration
in [1] with these modifications.

 - configure /etc/iscsi on the host directly, so it eliminates the use
   of /var/lib/config-data/ansible-generated
 - remove "sync from host" and "sync to host" operations which are no
   longer needed.
 - optimize the install task.

[1] https://github.com/openstack/puppet-tripleo/blob/master/manifests
/profile/base/iscsid.pp

Co-Authored-By: Manoj Katari <mkatari@redhat.com>
Change-Id: Idb57bb5179897ee7b4461f81372e6021b72be4d8
---
 .../defaults/main.yml                         |  1 -
 .../roles/tripleo_iscsid/defaults/main.yml    |  6 ++-
 .../roles/tripleo_iscsid/files/iscsid.yaml    |  5 --
 .../roles/tripleo_iscsid/tasks/configure.yml  | 47 +++++++++++++++++--
 .../roles/tripleo_iscsid/tasks/install.yml    | 46 ++++++++++--------
 .../roles/tripleo_iscsid/tasks/run.yml        | 26 ++++++++++
 .../tripleo_nova_compute/defaults/main.yml    |  2 +-
 .../kolla_config/nova_compute.yaml.j2         |  7 ---
 8 files changed, 100 insertions(+), 40 deletions(-)

diff --git a/tripleo_ansible/roles/tripleo_container_standalone/defaults/main.yml b/tripleo_ansible/roles/tripleo_container_standalone/defaults/main.yml
index 8ecae680d..b36671d6c 100644
--- a/tripleo_ansible/roles/tripleo_container_standalone/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_container_standalone/defaults/main.yml
@@ -70,4 +70,3 @@ tripleo_container_standalone_volumes: "{{
 
 tripleo_debug: False
 tripleo_deploy_identifier: ''
-tripleo_iscsid_config_volume: /var/lib/config-data/ansible-generated/iscsid
diff --git a/tripleo_ansible/roles/tripleo_iscsid/defaults/main.yml b/tripleo_ansible/roles/tripleo_iscsid/defaults/main.yml
index b6b770050..6c49abb1f 100644
--- a/tripleo_ansible/roles/tripleo_iscsid/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_iscsid/defaults/main.yml
@@ -23,13 +23,15 @@ tripleo_iscsid_debug: "{{ (ansible_verbosity | int) >= 2 | bool }}"
 tripleo_iscsid_hide_sensitive_logs: true
 
 tripleo_iscsid_image: "quay.io/tripleomastercentos9/openstack-iscsid:current-tripleo"
-tripleo_iscsid_config_dir: /var/lib/config-data/ansible-generated/iscsid
+tripleo_iscsid_config_image: "{{ tripleo_iscsid_image }}"
 tripleo_iscsid_volumes:
   - /var/lib/kolla/config_files/iscsid.json:/var/lib/kolla/config_files/config.json:ro
   - /dev:/dev
   - /run:/run
   - /sys:/sys
   - /lib/modules:/lib/modules:ro
-  - "{{ tripleo_iscsid_config_dir }}/etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro"
+  - /etc/iscsi:/etc/iscsi:z
   - /etc/target:/etc/target:z
   - /var/lib/iscsi:/var/lib/iscsi:z
+
+tripleo_iscsid_chap_algs: 'SHA3-256,SHA256,SHA1,MD5'
diff --git a/tripleo_ansible/roles/tripleo_iscsid/files/iscsid.yaml b/tripleo_ansible/roles/tripleo_iscsid/files/iscsid.yaml
index 2df91b19d..6d022911e 100644
--- a/tripleo_ansible/roles/tripleo_iscsid/files/iscsid.yaml
+++ b/tripleo_ansible/roles/tripleo_iscsid/files/iscsid.yaml
@@ -1,6 +1 @@
 command: /usr/sbin/iscsid -f
-config_files:
-  - source: "/var/lib/kolla/config_files/src-iscsid/"
-    dest: "/etc/iscsi/"
-    merge: true
-    preserve_properties: true
diff --git a/tripleo_ansible/roles/tripleo_iscsid/tasks/configure.yml b/tripleo_ansible/roles/tripleo_iscsid/tasks/configure.yml
index 2e5832869..1e1e71961 100644
--- a/tripleo_ansible/roles/tripleo_iscsid/tasks/configure.yml
+++ b/tripleo_ansible/roles/tripleo_iscsid/tasks/configure.yml
@@ -14,8 +14,45 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
-- name: Ensure {{ tripleo_iscsid_config_dir }}/etc/iscsi  exists
-  file:
-    path: "{{ tripleo_iscsid_config_dir }}/etc/iscsi"
-    state: directory
-    recurse: true
+
+- name: Check if the iSCSI initiator name (IQN) has been reset
+  ansible.builtin.stat:
+    path: /etc/iscsi/.initiator_reset
+  register: initiator_reset_state
+
+# NOTE: Each overcloud node must have its own, unique iSCSI Qualified Name
+# (IQN) but it has to be reset once, and only once as all the services on the
+# node must use the same IQN. It is reset based on the existence of
+# .initiator_reset sentinel file.
+
+- name: Ensure the system has a unique IQN
+  when: initiator_reset_state.stat.exists == False
+  block:
+
+  - name: Generate a unique IQN
+    ansible.builtin.command: podman run -ti --rm --name iscsid_config {{ tripleo_iscsid_config_image }} /usr/sbin/iscsi-iname
+    register: iscsi_iname
+
+  - name: Save the new IQN
+    ansible.builtin.copy:
+      dest: /etc/iscsi/initiatorname.iscsi
+      content: "InitiatorName={{ iscsi_iname.stdout }}"
+
+  - name: Record the IQN has been reset
+    ansible.builtin.file:
+      path: /etc/iscsi/.initiator_reset
+      state: touch
+
+- name: Write CHAP algorithms
+  ansible.builtin.lineinfile:
+    path: "/etc/iscsi/iscsid.conf"
+    line: "node.session.auth.chap_algs = {{ tripleo_iscsid_chap_algs }}"
+    regexp: "^node.session.auth.chap_algs"
+    insertafter: "^#node.session.auth.chap.algs"
+  register: modify_stat
+
+- name: Record the iscsid container restart is required
+  when : modify_stat.changed
+  ansible.builtin.file:
+   path: /etc/iscsi/.iscsid_restart_required
+   state: touch
diff --git a/tripleo_ansible/roles/tripleo_iscsid/tasks/install.yml b/tripleo_ansible/roles/tripleo_iscsid/tasks/install.yml
index 4ca494ca5..389950e44 100644
--- a/tripleo_ansible/roles/tripleo_iscsid/tasks/install.yml
+++ b/tripleo_ansible/roles/tripleo_iscsid/tasks/install.yml
@@ -14,40 +14,48 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+- name: Create persistent directories
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    setype: "{{ item.setype }}"
+    state: directory
+  loop:
+    - { 'path': /etc/iscsi, 'setype': container_file_t }
+    - { 'path': /etc/target, 'setype': container_file_t }
+    - { 'path': /var/lib/iscsi, 'setype': container_file_t }
 
-- name: create fcontext entry for iscsi
+- name: Create fcontext entry for iscsi
   community.general.sefcontext:
     target: "{{ item.path }}(/.*)?"
     setype: "{{ item.setype }}"
     state: present
-  with_items:
+  loop:
     - { 'path': /etc/iscsi, 'setype': container_file_t }
     - { 'path': /etc/target, 'setype': container_file_t }
     - { 'path': /var/lib/iscsi, 'setype': container_file_t }
-  when:
-    - tripleo_selinux_mode | default('enforcing') == 'enforcing'
-- name: create persistent directories
-  file:
-    path: "{{ item.path }}"
-    state: directory
-    setype: "{{ item.setype }}"
-  with_items:
-    - { 'path': /etc/iscsi, 'setype': container_file_t }
-    - { 'path': /etc/target, 'setype': container_file_t }
-    - { 'path': /var/lib/iscsi, 'setype': container_file_t }
-- name: stat /lib/systemd/system/iscsid.socket
-  stat: path=/lib/systemd/system/iscsid.socket
+
+- name: Stat /lib/systemd/system/iscsid.socket
+  ansible.builtin.stat:
+    path: /lib/systemd/system/iscsid.socket
   register: stat_iscsid_socket
+
 - name: Stop and disable iscsid.socket service
-  service: name=iscsid.socket state=stopped enabled=no
+  ansible.builtin.service:
+    name: iscsid.socket
+    state: stopped
+    enabled: no
   when: stat_iscsid_socket.stat.exists
+
 - name: Check if iscsi.service is enabled
-  command: systemctl is-enabled --quiet iscsi.service
+  ansible.builtin.command: systemctl is-enabled --quiet iscsi.service
   failed_when: false
   register: iscsi_service_enabled_result
+
 - name: Stop iscsi.service
-  service: name=iscsi.service state=stopped enabled=no
+  ansible.builtin.service:
+    name: iscsi.service
+    state: stopped
+    enabled: no
   when:
-    - not ansible_check_mode
     - iscsi_service_enabled_result is changed
     - iscsi_service_enabled_result.rc == 0
diff --git a/tripleo_ansible/roles/tripleo_iscsid/tasks/run.yml b/tripleo_ansible/roles/tripleo_iscsid/tasks/run.yml
index 161e63967..22d3f278d 100644
--- a/tripleo_ansible/roles/tripleo_iscsid/tasks/run.yml
+++ b/tripleo_ansible/roles/tripleo_iscsid/tasks/run.yml
@@ -24,3 +24,29 @@
       iscsid: "{{ lookup('template', 'iscsid.yaml.j2') | from_yaml }}"
     tripleo_container_standalone_kolla_config_files:
       iscsid: "{{ lookup('file', 'files/iscsid.yaml') | from_yaml }}"
+  register: manage_iscsid_stat
+
+- name: Check if the iscsid container restart is required
+  ansible.builtin.stat:
+    path: /etc/iscsi/.iscsid_restart_required
+  register: iscsi_restart_stat
+
+# Existence of sentinel file (.iscsid_restart_required) on the host
+# indicates that restart of the iscisd container is needed to refresh
+# /etc/iscsid.conf
+# sentinel file will exist on an initial deployment, but the restart is
+# actually needed only if the service is already running, so we check if
+# the manage_iscsid_stat changed.
+
+- name: Restart iscsid container to refresh /etcd/iscsid.conf
+  when:
+    - not manage_iscsid_stat.changed|bool
+    - iscsi_restart_stat.stat.exists|bool
+  systemd:
+    name: tripleo_iscsid
+    state: restarted
+
+- name: Remove iscsid container restart sentinel file
+  ansible.builtin.file:
+    path: /etc/iscsi/.iscsid_restart_required
+    state: absent
diff --git a/tripleo_ansible/roles/tripleo_nova_compute/defaults/main.yml b/tripleo_ansible/roles/tripleo_nova_compute/defaults/main.yml
index fab9fe1c2..c4d427b01 100644
--- a/tripleo_ansible/roles/tripleo_nova_compute/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_nova_compute/defaults/main.yml
@@ -132,11 +132,11 @@ tripleo_nova_compute_volumes:
   - /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro
   - /var/lib/kolla/config_files/nova_compute.json:/var/lib/kolla/config_files/config.json:ro
   - "{{ tripleo_nova_compute_config_dir }}:/var/lib/kolla/config_files/src:ro"
-  - "{{ tripleo_iscsid_config_volume }}:/var/lib/kolla/config_files/src-iscsid:ro"
   - "{{ tripleo_nova_compute_ceph_config_path }}:/var/lib/kolla/config_files/src-ceph:ro"
   - /dev:/dev
   - /lib/modules:/lib/modules:ro
   - /run:/run
+  - /etc/iscsi:/etc/iscsi:z
   - /var/lib/iscsi:/var/lib/iscsi:z
   - /var/lib/libvirt:/var/lib/libvirt:shared
   - /sys/class/net:/sys/class/net
diff --git a/tripleo_ansible/roles/tripleo_nova_compute/templates/kolla_config/nova_compute.yaml.j2 b/tripleo_ansible/roles/tripleo_nova_compute/templates/kolla_config/nova_compute.yaml.j2
index a7766a502..18414a1ff 100644
--- a/tripleo_ansible/roles/tripleo_nova_compute/templates/kolla_config/nova_compute.yaml.j2
+++ b/tripleo_ansible/roles/tripleo_nova_compute/templates/kolla_config/nova_compute.yaml.j2
@@ -11,13 +11,6 @@ config_files:
     dest: "/"
     merge: true
     preserve_properties: true
-  # (TODO: slagle) This must be commented out until files exist at this path
-  # otherwise kolla-start fails. This can be enabled once the tripleo_iscsid
-  # role is actually generating configuration.
-  # - source: "/var/lib/kolla/config_files/src-iscsid/*"
-  #   dest: "/etc/iscsi/"
-  #   merge: true
-  #   preserve_properties: true
   - source: "/var/lib/kolla/config_files/src-ceph/"
     dest: "/etc/ceph/"
     merge: true