In order to ANSIBLE_INJECT_FACT_VARS=False we have to use ansible_facts
instead of ansible_* vars. This change switches our distribution and
hostname related items to use ansible_facts instead.
Change-Id: Id01e754f0cf9f6e98c02f45a4011f3d6f59f80a1
Related-Bug: #1915761
We've seen that large amount of facts for hosts have a direct impact on
task execution as part of the deployment. This change reduces the
amount of data that we are collecting when we use facts and leverages
more targeted methods to collect the required information.
Change-Id: I49e6ca02c2b4791641fb27ebf258ef6c9d52dd9e
Related-Bug: #1915761
Starting With podman 2.X the default pids-limits has been halved from
4096 to 2048:
$ rpm -q podman && podman run --rm -it --net=host --name 'pids' edecd409281d sh -c 'cat /sys/fs/cgroup/pids/pids.max'
podman-2.2.1-3.module+el8.3.1+9392+c5f6d096.x86_64
2048
With podman-1.6.4 the global default pid-limits was hardcoded to 4096
and we had no way to tweak it.
With podman 2.X it is possible to override this in
/etc/containers/containers.conf with the pids_limit setting inside
[containers] in the /etc/containers/containers.conf ini-file:
$ cat /etc/containers/containers.conf
[containers]
pids_limit=6666
$ podman run --rm -it --net=host --name 'pids' edecd409281d sh -c 'cat /sys/fs/cgroup/pids/pids.max'
6666
By adding this we keep the older 4096 default so we do not regress and
at the same time we allow an operator to override this globally.
Related-Bug: #1915122
Change-Id: Id5d5fb9d20c0295763c78171190b9eda13508617
In order to launch the container and connect via networking, we need
selinux disabled for a rootless container to still work. Let's move the
selinux disabling to first rather than later.
Change-Id: I345e8b8547b81e5791656d0fca6e90b1de48fdac
Restrict network from gathering of unrelated facts.
That can be slow on systems with complex network configurations.
Change-Id: I2c58e5c1175ea9d77136c45fd58109bdacda8cef
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
It might happen this role isn't called without any fact gathering, for
instance running plain "ansible -m include_role -a role=tripleo_podman".
This small addition ensures we actually collect the needed things before
usage.
Change-Id: I2de4088bb3e9f3e049632f7d593a6ca8a2ac00de
Instead of blanking out the file, we need to configure it. An empty
file causes the `podman network` to not function and prevents us from
using containers without --net=host.
While we don't use this in tripleo today, it is beneficial to not leave
podman in a broken state on the undercloud or standalone if we actually
wanted to use podman networking for an external container. This change
won't remove the network if the interface has been configured and is in
use as to not break 'podman network'
It should be noted that the default interface was changed in later
versions from cni0 to cni-podman0 see podman 3755 (podman > 1.6).
Change-Id: Id3ba3a531b8f86d411c843683c94a9d632cbf217
Closes-Bug: #1889510
Closes-Bug: #1898120
Newer rhel version will provide newer tools, let's allow them for now
and decide if we must get some new redhat-8.3.yml and so on.
Change-Id: I81434e914d9c84a093f726181f7bb4a9b2042062
tripleo_podman_buildah_login.yml playbook from tripleo_podman
role is used in periodic jobs in upstream & downstream to push
containers.
In CentOS/RHEL, buildah comes from multiple repos, sometimes
untested package from diffferent repo get installed causing
issues. Making it parameterized will help to install specific
version of buildah and avoid breakage.
Change-Id: I751452d4f60ceedd099f76e8127694a96a0b9549
Signed-off-by: Chandan Kumar (raukadah) <chkumar@redhat.com>
In t-h-t, we call "tasks_from" in order to exclusively call those two
files in different location.
We therefore need to ensure we actually set the right variables, even in
this case.
Change-Id: Ifbccd663373f0e29301810dcc088b83d968f6203
Related-Bug: #1891465
Since ansible "package" takes the version in the name directly, let's
ensure we have the "latest" of that version.
This allows to still use per-OS or per-release podman version in a
convenient and easy way.
Change-Id: I9d8ba2818c7b00893473360b8098ae5cdecbb256
Recent version of podman requires yes/no when pruning images, except if
-f is given as an argument.
Let's first try the new way, and fallback on the old method.
Change-Id: Ie2a70d4ec40c2a2142b0857822edd5122b63c941
Closes-Bug: #1889418
Buildah login is not needed always, it's needed
when pushing to container registeries, so make it
optional by role var tripleo_podman_buildah_login set
to false by default.
Related-Bug: #1886555
Change-Id: Ibb91dfa9684b481dea34607fc47c0d531d56ee45
buildah login and podman login with root do not share same
authfile, buildah uses /run/containers/0/auth.json while
podman uses /run/user/0/containers/auth.json resulted from
$XDG_RUNTIME_DIR.
To ensure both podman and buildah can access the configured
registry, run login command with both.
It's mainly needed as container images are being pushed
with tripleoclient using sudo buildah push and buildah creds
are not setup.
Related-Bug: #1886555
Change-Id: I3d38d406e9f63008f7060f31cc9ff378e97120bb
htpasswd is removed in latest registry image[1]
and it's breaking molecule job for tripleo_podman
role, let's use working registry image.
[1] https://github.com/docker/distribution-library-image/issues/106
Change-Id: I644210a2dcc4cb3810d0999e8c69f8d54f602793
This change will enable or disable no_log and debug options whenever the
verbosity is set to an integer greater than 2. This will ensure operators and
deployers are best equipped to troubleshoot issues by dynamically providing
additional data in an expected way. To ensure we're able to differentiate
between output masking and security masking, two options were used to enable or
disable no_log across our roles and playbooks.
> All debug options, without security implications, will now react to the
`ansible_verbosity` built in by default. Changes have been made to our
skeleton role to ensure this is enforced on all new roles created going
forward.
> An additional prefixed role option, `*_hide_sensitive_logs`, has been added to
allow operators to easily toggle sensitive output when required. The role
prefixed variables will respond to the global option `hide_sensitive_logs` as
defined in THT which will ensure a consistent user experience.
Depends-On: I84f3982811ade59bac5ebaf3a124f9bfa6fa22a4
Change-Id: Ia6658110326899107a0e277f0d2574c79a8a820b
Signed-off-by: Kevin Carter <kecarter@redhat.com>
This change updates all uses of docker to podman and removes our docker
installation process from zuul and our local test process. Some container
based tests have been moved to "delegated" becuase they no longer make
sense to run in a container and the hacks needed to maintain the container
based testing are not worth maintaining for podman.
Change-Id: I02de94a1229bfa847f14ecf282eadbcfe6396875
Signed-off-by: Kevin Carter <kecarter@redhat.com>
https://github.com/containers/image/blob/master/docs/containers-registries.conf.5.md#version-2
This allows for mirrors to be configured for specific hosts however it
is incompatibilty with the default v1 configuration so we have to nuke
the existing configuration. Additionally it uses TOML which there is
currently no ansible module to manage.
Change-Id: Ic35155f04bf05913b9e9b8eaa22fe6c02515396c
- octavia_controller_post_config: remove "ignore_errors: true". It's not
supposed to be needed, since there is already a
"failed_when: config_contents.rc != 0" which knows when to fail.
- octavia_undercloud, tripleo_cellv2, tripleo_ceph_common,
tripleo_container_manage, tripleo_packages and tripleo_puppet_cache:
replace "ignore_errors: true" by "failed_when: false" for debugging
experience. We know the tasks can fail and we don't care, let's just
not show them as failures in that case and force the task to never
fail.
- tripleo_podman: instead of ignoring errors, check if the config file
actually exists before wipping it out.
Change-Id: Ib3716e4823735a9db9bd3cac33b8daf0e5f3d186
We don't want to log the podman login information so let's add no_log.
Also add a tripleo_podman_debug variable that can be used to enable
login in case of emergency.
Change-Id: I913a3a211451cbbdc8b0238d27cbb7d62907d01b
When purging the docker service/directories, if there has
been an operating system upgrade in between (RHEL7 to
RHEL8), then the docker service will be inactive but the
folders used by Docker still need a purge. If the service
is not available and we try to stop it, then the Ansible
service task will fail.
This patch adds a guard to stop the service only when it
is available in the system.
Change-Id: Id6dc9a7bd71a7725ae1672c91bef5064a730b530
This change replaces all of the roles references in our various files with the
new role name. This is being done because Ansible no longer allows hyphens in
role names.
Change-Id: Ie899714aca49781ccd240bb259901d76f177d2ae
Signed-off-by: Kevin Carter <kecarter@redhat.com>
All roles that have a hyphen in them need to be renamed to use an
underscore. This change creates a symlink to all roles using their
original name which will ensure we maintain compatibility with
the rest of the TripleO stack. This is being done because roles with
hyphens are no longer valid within collections.
A temp PBR update has been made to accomodate all of the symlinks to
the legacy role names.
[0] https://docs.ansible.com/ansible/devel/dev_guide/developing_collections.html#roles-directory
Change-Id: Id00a3670351990e5489a297c4c7200f8c05af096
Signed-off-by: Kevin Carter <kecarter@redhat.com>
Alex Schultz
Michele Baldessari
Bogdan Dobrelya
Cédric Jeanneret
Chandan Kumar (raukadah)
Emilien Macchi
yatinkarel
Kevin Carter
Sagi Shnaidman
Sorin Sbarnea
Jose Luis Franco Arza