heat_template_version: rocky description: > TripleO Package installation settings parameters: ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json DefaultPasswords: default: {} type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json EnablePackageInstall: default: 'false' description: Set to true to enable package installation at deploy time type: boolean GlanceNodeStagingUri: default: 'file:///var/lib/glance/staging' description: > URI that specifies the staging location to use when importing images type: string UpgradeLeappEnabled: description: Use Leapp for operating system upgrade type: boolean default: false UpgradeLeappDebug: description: Print debugging output when running Leapp type: boolean default: true UpgradeLeappDevelSkip: description: | Skip Leapp checks by setting env variables when running Leapp in development/testing. For example, LEAPP_DEVEL_SKIP_RHSM=1. type: string default: '' UpgradeLeappCommandOptions: description: | In case or using UpgradeLeappDevelSkip with LEAPP_NO_RHSM=1 user can specify --enablerepo --enablerepo options for leapp to use these repositories for the upgrade process. type: string default: '' UpgradeLeappRebootTimeout: description: Timeout (seconds) for the OS upgrade phase via Leapp type: number default: 3600 UpgradeLeappPostRebootDelay: description: | Maximum (seconds) to wait for machine to reboot and respond to a test command. type: number default: 120 UpgradeLeappToRemove: default: [] description: List of packages to remove during Leapp upgrade. type: comma_delimited_list UpgradeLeappToInstall: default: [] description: List of packages to install after Leapp upgrade. type: comma_delimited_list LeappRepoInitCommand: type: string description: | Command or script snippet to run on all overcloud nodes to initialize the Leapp process. E.g. a repository switch. default: '' LeappInitCommand: type: string description: | Command or script snippet to run on all overcloud nodes to apply any necessary workarounds to get Leapp working. default: '' UpgradeInitCommand: type: string description: | Command or script snippet to run on all overcloud nodes to initialize the upgrade process. E.g. a repository switch. default: '' UpgradeInitCommonCommand: type: string description: | Common commands required by the upgrades process. This should not normally be modified by the operator and is set and unset in the major-upgrade-composable-steps.yaml and major-upgrade-converge.yaml environment files. default: '' SkipPackageUpdate: default: 'false' description: Set to true to skip the update all packages type: boolean SkipRhelEnforcement: default: "false" description: Whether to avoid or not RHEL/OSP policies enforcement on Red Hat. Mainly for CI purpose. It shouldn't matter on other distributions where it's disabled in the role. Set to true to skip the enforcement. type: string DnfStreams: default: [] description: List of streams to be configured before updating packages. Each list element contains a dictionary with the following values defined module[mandatory], stream[mandatory] and profile[optional]. If the profile is not specified 'common' will be used instead. type: json resources: RoleParametersValue: type: OS::Heat::Value properties: type: json value: map_replace: - map_replace: - dnf_module_list: DnfStreams upgrade_leapp_command_options: UpgradeLeappCommandOptions upgrade_leapp_to_remove: UpgradeLeappToRemove upgrade_leapp_to_install: UpgradeLeappToInstall upgrade_init_command: UpgradeInitCommand - values: {get_param: [RoleParameters]} - values: DnfStreams: {get_param: DnfStreams} UpgradeLeappCommandOptions: {get_param: UpgradeLeappCommandOptions} UpgradeLeappToRemove: {get_param: UpgradeLeappToRemove} UpgradeLeappToInstall: {get_param: UpgradeLeappToInstall} UpgradeInitCommand: {get_param: UpgradeInitCommand} outputs: role_data: description: Role data for the TripleO package settings value: service_name: tripleo_packages config_settings: tripleo::packages::enable_install: {get_param: EnablePackageInstall} step_config: | include ::tripleo::packages upgrade_tasks: - name: Gather missing facts setup: gather_subset: "distribution" when: >- ansible_facts['distribution'] is not defined or ansible_facts['distribution_major_version'] is not defined tags: - always - name: Set leapp facts set_fact: upgrade_leapp_enabled: >- {{ _upgradeLeappEnabled | bool and ansible_facts['distribution'] == 'RedHat' and ansible_facts['distribution_major_version'] is version('7', '==') }} upgrade_leapp_debug: {get_param: UpgradeLeappDebug} upgrade_leapp_devel_skip: {get_param: UpgradeLeappDevelSkip} upgrade_leapp_command_options: {get_attr: [RoleParametersValue, value, 'upgrade_leapp_command_options']} upgrade_leapp_command_options: {get_param: UpgradeLeappCommandOptions} upgrade_leapp_reboot_timeout: {get_param: UpgradeLeappRebootTimeout} upgrade_leapp_post_reboot_delay: {get_param: UpgradeLeappPostRebootDelay} vars: _upgradeLeappEnabled: {get_param: UpgradeLeappEnabled} tags: - always - name: system_upgrade_prepare step 3 tags: - never - system_upgrade - system_upgrade_prepare when: - step|int == 3 - upgrade_leapp_enabled block: - name: Hack around broken ceph-common rpm removing /etc/ceph /var/lib/ceph ignore_errors: true shell: | rpm -e --nodeps --noscripts ceph-common - name: remove all OpenStack packages shell: >- yum -y remove *el7ost* galera* xinetd* haproxy* httpd kernel-devel mysql* pacemaker* python-jsonpointer qemu-kvm-common-rhev qemu-img-rhev rabbit* redis* -- -*openvswitch* -python-docker -python-PyMySQL -python-pysocks -python2-asn1crypto -python2-babel -python2-cffi -python2-cryptography -python2-dateutil -python2-idna -python2-ipaddress -python2-jinja2 -python2-jsonpatch -python2-markupsafe -python2-pyOpenSSL -python2-requests -python2-six -python2-urllib3 -python2-chardet - name: Run LeappRepoInitCommand shell: list_join: - '' - - "#!/bin/bash\n\n" - {get_param: LeappRepoInitCommand} # WA for UEFI systems rhbz#1925078 - name: Check if system was booted via EFI stat: path: /sys/firmware/efi register: efi - name: Check if efi partition is present in /etc/fstab failed_when: false register: efi_fstab shell: | grep efi /etc/fstab - name: Find out the UUID of UEFI device register: efi_dev failed_when: false shell: | blkid -s UUID -o value "$(blkid -t TYPE=vfat | grep -i efi | cut -d ':' -f1)" - name: Check if red is in efibootmgr register: efi_broken failed_when: false shell: | efibootmgr | grep "red$" - when: - efi_fstab.rc is defined - efi_dev.rc is defined - efi_broken.rc is defined - efi.stat.exists|bool - efi_fstab.rc == 1 - efi_dev.rc == 0 - efi_broken.rc == 0 block: - name: Copy /boot/efi/EFI/redhat to /tmp copy: src: /boot/efi/EFI/redhat/ dest: /tmp/workaround_1925078_redhat/ remote_src: true - name: Insert /etc/fstab record lineinfile: dest: "/etc/fstab" line: "UUID={{ efi_dev.stdout }} /boot/efi vfat umask=0077 0 1" - name: Mount the /boot/efi command: mount /boot/efi - name: Copy /tmp/redhat to /boot/efi/EFI/redhat copy: src: /tmp/workaround_1925078_redhat/ dest: /boot/efi/EFI/redhat/ remote_src: true - name: Create boot record shell: | DEVICE_PATH="$(blkid -t TYPE=vfat | grep -i efi | cut -d ':' -f1)" DEVICE="$(lsblk -no pkname $DEVICE_PATH)" PARTITION="$(echo $DEVICE_PATH | awk '{print $NF}' FS=/$DEVICE)" efibootmgr -c -L 'Red Hat Enterprise Linux' -d $(echo $DEVICE_PATH | sed s/$PARTITION\$//) -p $PARTITION -l '\EFI\redhat\shimx64.efi' - name: Create grub config file command: grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg - name: Remove btrfs module in case fuse just loaded it failed_when: false command: rmmod btrfs - name: Set workaround_1925078_fired set_fact: workaround_1925078_fired: True - name: install leapp package: name: leapp state: latest - name: Retrieve files in /etc/leapp/files find: paths: "/etc/leapp/files" patterns: "*" register: uc_leapp_files delegate_to: undercloud - name: Fetch the Leapp data from undercloud fetch: dest: "{{ playbook_dir }}" src: "{{ item.path }}" loop: "{{ uc_leapp_files.files }}" delegate_to: undercloud - name: Copy the Leapp data from undercloud copy: dest: '{{ item.path }}' src: '{{ playbook_dir }}/{{ inventory_hostname }}/{{ item.path }}' loop: "{{ uc_leapp_files.files }}" - name: Run LeappInitCommand shell: list_join: - '' - - "#!/bin/bash\n\n" - {get_param: LeappInitCommand} - name: Remove obsolete nf_conntrack_proto_sctp from /etc/modules-load.d/ file: path: /etc/modules-load.d/nf_conntrack_proto_sctp.conf state: absent - name: "add packages into Leapp's to_remove file" vars: pkg_to_remove: { get_attr: [RoleParametersValue, value, 'upgrade_leapp_to_remove']} lineinfile: path: "/etc/leapp/transaction/to_remove" line: "{{ item }}" loop: "{{ pkg_to_remove }}" - name: "add packages into Leapp's to_install file" vars: pkg_to_install: {get_attr: [RoleParametersValue, value, 'upgrade_leapp_to_install']} lineinfile: path: "/etc/leapp/transaction/to_install" line: "{{ item }}" loop: "{{ pkg_to_install }}" - name: "check sshd_config file" stat: path: "/etc/ssh/sshd_config" register: sshd_config_result - name: "add PermitRootLogin option for leapp" lineinfile: path: "/etc/ssh/sshd_config" regexp: "^(# *)?PermitRootLogin" line: "PermitRootLogin without-password" - name: system_upgrade_prepare step 4 tags: - never - system_upgrade - system_upgrade_prepare when: - step|int == 4 - upgrade_leapp_enabled block: - name: unmount and remove nfs glance entry mount: path=/var/lib/glance/images state=absent ignore_errors: true - name: unmount and remove nfs glance staging entry vars: glance_node_staging_uri: {get_param: GlanceNodeStagingUri} mount: path="{{glance_node_staging_uri[7:]}}" state=absent ignore_errors: true - name: unmount and remove nfs nova entry mount: path=/var/lib/nova/instances state=absent ignore_errors: true - name: set leapp options shell: > leapp answer --section remove_pam_pkcs11_module_check.confirm=True --add - name: run leapp upgrade (download packages) shell: > {% if upgrade_leapp_devel_skip|default(false) %}{{ upgrade_leapp_devel_skip }}{% endif %} leapp upgrade {% if upgrade_leapp_debug|default(true) %}--debug{% endif %} {% if upgrade_leapp_command_options|default(false) %}{{ upgrade_leapp_command_options }}{% endif %} - name: system_upgrade_run step 4 tags: - never - system_upgrade - system_upgrade_run # In case someone needs to re-run system_upgrade_run post-tasks # but doesn't want to reboot, they can run with # `--skip-tags system_upgrade_reboot`. - system_upgrade_reboot when: - step|int == 4 - upgrade_leapp_enabled block: - name: Reset boot order if WA#1925078 fired and fix grubenv when: - workaround_1925078_fired is defined - workaround_1925078_fired|bool block: - name: shell: | NEXT_BOOT="$(efibootmgr -v | grep \\redhat | awk -F'[ t*]' '{print $2}')" efibootmgr -n $NEXT_BOOT # WA: some versions of grub2 fail to look for grubenv in /boot/grub2/grubenv # In this case we copy the file instead of creating simlink making sure if # this is the case than grubenv is still available for previous bootrecord. - name: Stat /boot/grub2/grubenv stat: path: /boot/grub2/grubenv register: grubenv - name: Copy /boot/grub2/grubenv to /boot/efi/EFI/redhat/grubenv when: grubenv.stat.islnk is defined and grubenv.stat.islnk == False copy: src: /boot/grub2/grubenv dest: /boot/efi/EFI/redhat/grubenv remote_src: true - name: reboot to perform the upgrade reboot: reboot_timeout: "{{upgrade_leapp_reboot_timeout}}" test_command: >- systemctl is-system-running | grep -e running -e degraded post_reboot_delay: "{{ upgrade_leapp_post_reboot_delay }}" - name: Set the python to python3 vars: ansible_python_interpreter: "/usr/bin/python3" shell: alternatives --set python /usr/bin/python3 - name: Package and repo update tasks when: step|int == 0 block: - name: Run UpgradeInitCommand shell: list_join: - '' - - "#!/bin/bash\n\n" - {get_attr: [RoleParametersValue, value, 'upgrade_init_command']} - name: Run UpgradeInitCommonCommand shell: list_join: - '' - - "#!/bin/bash\n\n" - {get_param: UpgradeInitCommonCommand} - name: Ensure DNF modules have the right stream vars: dnf_module_list: {get_attr: [RoleParametersValue, value, 'dnf_module_list']} dnf: name: "@{{ item.module }}:{{ item.stream }}/{{ item.profile|default('common') }}" state: present loop: "{{ dnf_module_list|list }}" when: - ansible_facts['distribution_major_version'] is version('8', '>=') - dnf_module_list|length > 0 - name: Ensure EL modules are in proper state shell: dnf -y distro-sync when: ansible_facts['distribution_major_version'] == '8' retries: 5 delay: 10 register: _dnf_distro_sync until: _dnf_distro_sync is success - name: Clean up Python 2 packages package: name: python2-* state: absent when: ansible_facts['distribution_major_version'] == '8' - name: Ensure TripleO prerequisite packages are installed package: name: - jq - lvm2 - net-snmp - openstack-selinux - os-net-config - puppet-tripleo - python3-heat-agent* - rsync state: present when: ansible_facts['distribution_major_version'] is version('8', '==') - name: Special treatment for OpenvSwitch tripleo_ovs_upgrade: when: - step|int == 2 register: ovs_upgrade - name: Always ensure the openvswitch service is enabled and running after upgrades service: name: openvswitch enabled: yes state: started when: - step|int == 2 - ovs_upgrade.changed|bool - name: Install libibverbs (https://bugs.launchpad.net/tripleo/+bug/1817743) when: step|int == 2 package: name: libibverbs state: installed - name: Check for os-net-config upgrade shell: "yum check-upgrade | awk '/os-net-config/{print}'" register: os_net_config_need_upgrade when: step|int == 3 - name: Check that os-net-config has configuration shell: test -s /etc/os-net-config/config.json register: os_net_config_has_config failed_when: false when: step|int == 3 - block: - name: Upgrade os-net-config package: name=os-net-config state=latest - name: take new os-net-config parameters into account now command: os-net-config --no-activate -c /etc/os-net-config/config.json -v --detailed-exit-codes register: os_net_config_upgrade failed_when: os_net_config_upgrade.rc not in [0,2] changed_when: os_net_config_upgrade.rc == 2 when: - step|int == 3 - os_net_config_need_upgrade.stdout - os_net_config_has_config.rc == 0 - name: Set boolean skip_package_update set_fact: skip_package_update: {get_param: SkipPackageUpdate} # Exclude ansible until https://github.com/ansible/ansible/issues/56636 # is available - name: Update all packages when: - step|int == 3 - not skip_package_update|bool yum: name: '*' state: latest exclude: ansible external_upgrade_tasks: - name: Clean up upgrade artifacts when: step|int == 1 tags: - never - system_upgrade_cleanup block: - name: cleanup tripleo_persist include_role: name: tripleo-persist tasks_from: cleanup.yml update_tasks: - name: Enforce RHOSP rules regarding subscription. include_role: name: tripleo-redhat-enforce vars: skip_rhel_enforcement: {get_param: SkipRhelEnforcement} when: - step|int == 0 - ansible_facts['distribution'] == 'RedHat' - not (skip_rhel_enforcement | bool) - name: Ensure DNF modules have the right stream vars: dnf_module_list: {get_attr: [RoleParametersValue, value, 'dnf_module_list']} dnf: name: "@{{ item.module }}:{{ item.stream }}/{{ item.profile|default('common') }}" state: present loop: "{{ dnf_module_list|list }}" when: - step|int == 0 - ansible_facts['distribution_major_version'] is version('8', '>=') - dnf_module_list|length > 0 - name: Check for existing yum.pid stat: path=/var/run/yum.pid register: yum_pid_file when: step|int == 0 or step|int == 3 - name: Exit if existing yum process fail: msg="ERROR existing yum.pid detected - can't continue! Please ensure there is no other package update process for the duration of the minor update worfklow. Exiting." when: (step|int == 0 or step|int == 3) and yum_pid_file.stat.exists - name: Set boolean skip_package_update set_fact: skip_package_update: {get_param: SkipPackageUpdate} - name: Special treatment for OpenvSwitch tripleo_ovs_upgrade: when: - step|int == 2 register: ovs_upgrade - name: Always ensure the openvswitch service is enabled and running after upgrades service: name: openvswitch enabled: yes state: started when: - step|int == 2 - ovs_upgrade.changed|bool # Exclude ansible until https://github.com/ansible/ansible/issues/56636 # is available - name: Update all packages when: - step|int == 3 - not skip_package_update|bool yum: name: '*' state: latest exclude: ansible # This is failsafe unless openvswitch package does something # to the systemd service state. - name: Ensure openvswitch is running after update when: step|int == 3 service: name: openvswitch enabled: yes state: started ignore_errors: true