Not sure why but it seems to me that the parallel execution
is affecting this conditional evaluation.
As this conditional way was used in several places, this
patch aims also to change those places to look alike.
Closes-Bug: #1998501
Change-Id: Ib4de49adc50ee4c806882754c5657c7dbd1f8993
... to avoid the following warning.
[WARNING]: conditional statements should not include jinja2 templating
delimiters such as {{ }} or {% %}. Found: '{{ playbook_dir }}/{{
_task_file_path }}' is exists
Change-Id: Ie804bf9bebf32f45aebc1fb63def3f2f95774e98
These role task inclusions force a linear-like sequence
and result in a lot of unnecessary skipped tasks. This
takes extra time, and causes a lot of log noise which
makes debugging more difficult.
Given that a host can ever only have a single role, it
makes more sense to just include the applicable role
task file if it exists.
Change-Id: Id2cadceaaf563dc94fcf2d8ce0f0cb9054a65d40
In support of the wider Multi-RHEL effort. We will
need to support templating to allow for Ansible to
determine which container needs to be pulled to
the hosts based on their OS version.
This change adds support for that templating of
the puppet_config files.
Change-Id: I5b6a34c4013ad86585bdbd29dab882dd0dd1b3e2
In support of the wider Multi-RHEL effort. We will
need to support templating to allow for Ansible to
determine which container needs to be pulled to
the hosts based on their OS version.
This change adds support for that templating of
the docker_config files.
Change-Id: Id56a4670507524f41fde238887fce4dd19e90a87
There are times when there is no newline char at the end of files
that are used to a generate config hash. This is will result in
header lines with datetimestamp getting appended to the previous
line and not filtered. So, container-puppet.py would generate a
different TRIPLEO_CONFIG_HASH for services every time.
Ex. When using custom policies it would append puppet generated line
from cron config with timestamp to the last line from policy.json.
This would result in new config hash for every deployment and
containers getting replaced.
Resolves: rhbz#2083016
Change-Id: I2153844ed06756eeb9ff56cfff64908bed5fa577
With tripleo_free strategy a playbook run fails only after the
end of the play. In case a task failure for a node, the other nodes
keep continuing till the end of play. Therefore, --start-at-task
should be always at the beginning of the play as different nodes
can fail at different tasks and we need to always start from the
start of play.
Change-Id: I79ff5d3babd05c7d1ba5195f372c1348d6692e2b
Ansible free/tripleo_free strategies do not work well
for blocks with conditions, containing include_tasks.
Conditions ( i.e when: ) at times get mixed up resulting
in wrong condition being evaluated. As blocks are only
logical entities (conditions evaluated per task), we
shouldn't have any problem moving the conditions to tasks
in Host prep block to avoid the issue.
This fixes intermittent chrony failures in host_prep_tasks.
Note: This is a workaround as we've to backport it all
the way till train and has to be fixed in core ansible[1]
in the future.
[1] https://github.com/ansible/ansible/issues/60512
Resolves: rhbz#2084075
Resolves: rhbz#2111237
Change-Id: Id9f481f3fe75169bd4c3d721e23e847a1b6c8c43
This reverts commit 6d80912404.
Reason for revert: The decision was made to not pursue task-core and
directord. As such, these task-core methods are no longer required.
Change-Id: If3ec6485865755b584731835cdf866dc1feacfcb
We used to render all nodes data in check mode on each node.
However, after Ic10858ce7eaa5353d546e75b26e7149df2e1aa2a we
copy it from the control node, which is not generated in
check mode. Let's generate it on control node in check mode.
Resolves: rhbz#2096427
Change-Id: If4945d4b50262ef3adf1cd555e51039a98cdc433
This change ensures that firewall rules for haproxy endpoints are
enabled properly even when haproxy and api services are running in
different nodes.
With this change, firewall rule for ssl endpoints are removed from base
firewall rules because these ports are used by haproxy and not used by
api services.
Also, the adhoc implementation to run firewall configurations first is
refactored by the new host_firewall_tasks key. This allows us to
implement tasks to configure firewall in the corresponding resource
template.
Closes-Bug: #1961799
Depends-on: https://review.opendev.org/831547
Change-Id: I07ceab077f9a900f7e2e35af8acd3e7a337ed01a
... because the resource is valid only at host level. This helps us
avoid triggering service resources unexpectedly when we add specific
puppet classes (eg. rsync::server) to puppet_tags.
This also fixes the package resource which is not properly noop'ed in
conainer puppet tasks.
Change-Id: I2ce12fadd2bd1c65c098108362bb337ecd38d1a7
When using common-container-setup-tasks.yaml after
deployment/unbound/unbound-container-ansible.yaml the permission for
config-data are set to 750 since they are not set explicitely in
common-container-setup-tasks.yaml. This caused problems due to other
users not being able to read anythin below that folder. This changes
sets explicitely the permissions to 755 to avoid these problems.
Change-Id: I54fad8eb65bdcfd5d71a9999f2fb9ff97c143a62
Using the FQCN for ansible builtin tasks is required by the new
ansible-lint 6.0.0. Otherwise, the pep8 job fails running ansible-lint.
Closes-Bug: #1964935
Change-Id: I82f65a39856bc86cbdb58de969f0392ea36c4e04
Signed-off-by: James Slagle <jslagle@redhat.com>
Currently /etc/openldap is bind-mounted by keystone containers
with ro flag so it should be excluded from config files generaed
by puppet.
Closes-Bug: #1960781
Change-Id: I8027b829e6b5aebfcd36f5025bb9c848cc96ce3f
Do not wait for cloud init, when it's disabled via kernel args.
Change-Id: Ia6618111be285d6883bd7adfa2ac39d205d9fcc3
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
Ansible doesn't guarantee interval of retries and more frequent retry
causes more overhead and delay in the whole timeout detection.
This change reduces frequency of the polling task to check status of
async task from 3 seconds x 1200 times to 10 seconds x 360 times to
avoid to much overhead.
Closes-Bug: #1955682
Change-Id: I7d0964693256b276b32c247533ef096a49fd6979
Deploy without gateway in the network data, the ping test fails
because no valid ip address. Added default value when not present.
ping_test_ips is a space separated string. Added default value as
empty string. Also removed space (' ') from split as by default
split will work based on space. Adding space string creates list
with empty string [""].
ping_test_gateway_ips is a list of ips. Added default value as [].
Change-Id: I987e093fc1ebb8dc47b39b914483936b6e7e4d6b
container-selinux is applying a specific label to that location[1]. In
order to avoid conflict and keep things clean, openstack-selinux allows
container_t to manage files and directories with that new container_log_t
context[2].
Note: this patch must NOT be backported to stable/train, but is needed
in stable/wallaby (osp-17) in order to be consistent.
[1] 7e5f3cae10
[2] db6cb8e7f0
Change-Id: Ic0620f2e619730fa47a0b3feb5ca56d934f1416f
This change adds a new output to service definitions called
core_services which are used to define task-core services that will be
collected and exported during the config-download progress. These
services are mapped to TripleO roles and published into a task-core role
file in the config-download.
Related-Blueprint: unified-orchestration
Change-Id: I6954ecc92e740212a4502ac5fa8e53eeed22d043
Depends-On: https://review.opendev.org/c/openstack/tripleo-common/+/798721
Add ping test for gateway IPs on all networks, to ensure
all gateways are reachable.
The releated Bugzilla reports an issue where some network
fabrics fail when using the current node ping test, which
pings the first node in each role. The fabric simply does
not forward traffic before the gateway has been pinged.
One can argue that the fabric in question is broken. However,
with the current implementation the first node in each role
actually ping tests only against it's own address? So adding
the test to ping the gateway addresses improves the validation
in general.
Related RHBZ#1875962
Depends-On: I93cded61ffb862e99fd8043dbf0def3d16079692
Change-Id: I3309f2a0e39ad115930ecd5c0e895816565819e9
In python yaql 2, the expressions are returning a nested list but we
need a list of dictionaries in order to use map_merge. This change adds
flatten so it returns [] instead of [[]] when nothing is available.
Change-Id: Ic5144c58ceb9bd146e2c470725ec7f4b65328c4d
Closes-Bug: #1947193
In ansible, usage of true/false for boolean values, instead of yes/no,
is considered as a best practise and is enforced by ansible-lint with
the "truthy value should be one of false, true (truthy)" rule.
This change replaces usage of yes/no by true/false to follow that
practise.
Change-Id: I3313278f1ef6cbee0f906aca0a77bde1a3c53784
Remove the filtering of network_virtual_ips based on
the hard-coded network names. The depends-on does similar
filtering by using the service_net_map instead.
This should allow better support for custom network names,
custom ServiceNetMap and use of service_net_map_replace in
network data.
Related-Bug: #1946239
Depends-On: I9c5d681c266db1e5048a1be6557c20abd5a07f7b
Change-Id: I1c904d2f09e4679e50713d344abdff4fd830132a
With Ephemeral Heat, we can no longer rely on the stack
action to perform tasks. Such as we did with
NetworkDeploymentActions. This change will add a new
parameter to replace this functionality.
Depends-On: https://review.opendev.org/c/openstack/tripleo-ansible/+/805213
Change-Id: I7067c31f4fcc3f263ae2e3ab993c8bff7113d55b
When restarting a container-puppet-{service} container,
make sure to remove /etc/puppet from its storage,
otherwise the config generation might fail, for example
when using upload-puppet-module with a stack update.
Change-Id: I1ff3363259397bba60f5ec09086cb7de34e7af8b
Closes-Bug: #1940571
Via Ief0729e51997c3eb1dba679cc40ce7bbf4702bc3 "Adjust shutdown service
management" we dropped support for tripleo_container_manage_systemd_order
let's just remove its use in THT before we remove all traces of it in
tripleo-ansible (via Icc93a5f2d05ef79ff81748435d385cb83b469d4b).
Change-Id: I6fb00e27f8d18ff42f214e5045301c3334d14277
This change removes the jinja found within the conditionals used in our
deploy steps playbook which will resolve an Ansible warning seen when
running a deployment.
Change-Id: Ifa66a0805cba5c5a095731bda5e4f8c31626ed96
Signed-off-by: Kevin Carter <kecarter@redhat.com>
When checking for the existence of task files at a given path, the path
should be prefaced with {{playbook_dir}} so that the correct absolute
path is checked. Otherwise, the path is relative to the working
directory which does not have to be the same as playbook_dir.
Change-Id: Ia16f249b240c06128374551f6110419f9c1923c9
Signed-off-by: James Slagle <jslagle@redhat.com>
Switch container puppet tasks to use the module for management rather
than the tripleo_container_manage role which has a bunch of unrelated
tasks.
Change-Id: I4398322a02f6f899ea226b60336da83fc841812f
Depends-On: https://review.opendev.org/c/openstack/tripleo-ansible/+/796884
Juan Badia Payno