d8e5ccb8cb
One of the pre-requisites for leapp tool to be able to upgrade is the existence of the PermitRootLogin option in the sshd_config file. It doesn't mind which value it has, it needs to be set. For that reason, this patch will set the value to without-password (which is the default for the PermitRootLogin field). The selection of the option isn't really relevant, as during the installation of the openstack services puppet will just overwrite the sshd_config, therefore this is simply a hack for leapp to let us upgrade. Change-Id: Id647896fda6cc3fe7bf5eb5ba2de05111d174092
359 lines
13 KiB
YAML
359 lines
13 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
TripleO Package installation settings
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
EnablePackageInstall:
|
|
default: 'false'
|
|
description: Set to true to enable package installation at deploy time
|
|
type: boolean
|
|
UpgradeLeappEnabled:
|
|
description: Use Leapp for operating system upgrade
|
|
type: boolean
|
|
default: false
|
|
UpgradeLeappDebug:
|
|
description: Print debugging output when running Leapp
|
|
type: boolean
|
|
default: true
|
|
UpgradeLeappDevelSkip:
|
|
description: |
|
|
Skip Leapp checks by setting env variables when running Leapp in
|
|
development/testing. For example, LEAPP_DEVEL_SKIP_RHSM=1.
|
|
type: string
|
|
default: ''
|
|
UpgradeLeappCommandOptions:
|
|
description: |
|
|
In case or using UpgradeLeappDevelSkip with LEAPP_NO_RHSM=1 user
|
|
can specify --enablerepo <repo1> --enablerepo <repo2> options for
|
|
leapp to use these repositories for the upgrade process.
|
|
type: string
|
|
default: ''
|
|
UpgradeLeappRebootTimeout:
|
|
description: Timeout (seconds) for the OS upgrade phase via Leapp
|
|
type: number
|
|
default: 3600
|
|
UpgradeLeappToRemove:
|
|
default: []
|
|
description: List of packages to remove during Leapp upgrade.
|
|
type: comma_delimited_list
|
|
UpgradeLeappToInstall:
|
|
default: []
|
|
description: List of packages to install after Leapp upgrade.
|
|
type: comma_delimited_list
|
|
UpgradeInitCommand:
|
|
type: string
|
|
description: |
|
|
Command or script snippet to run on all overcloud nodes to
|
|
initialize the upgrade process. E.g. a repository switch.
|
|
default: ''
|
|
UpgradeInitCommonCommand:
|
|
type: string
|
|
description: |
|
|
Common commands required by the upgrades process. This should not
|
|
normally be modified by the operator and is set and unset in the
|
|
major-upgrade-composable-steps.yaml and major-upgrade-converge.yaml
|
|
environment files.
|
|
default: ''
|
|
SkipPackageUpdate:
|
|
default: 'false'
|
|
description: Set to true to skip the update all packages
|
|
type: boolean
|
|
SkipRhelEnforcement:
|
|
default: "false"
|
|
description: Whether to avoid or not RHEL/OSP policies enforcement on Red Hat.
|
|
Mainly for CI purpose. It shouldn't matter on other distributions
|
|
where it's disabled in the role. Set to true to skip the enforcement.
|
|
type: string
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the TripleO package settings
|
|
value:
|
|
service_name: tripleo_packages
|
|
config_settings:
|
|
tripleo::packages::enable_install: {get_param: EnablePackageInstall}
|
|
step_config: |
|
|
include tripleo::packages
|
|
upgrade_tasks:
|
|
- name: Gather missing facts
|
|
setup:
|
|
gather_subset: "distribution"
|
|
when: >-
|
|
ansible_facts['distribution'] is not defined or
|
|
ansible_facts['distribution_major_version'] is not defined
|
|
tags:
|
|
- always
|
|
|
|
- name: Set leapp facts
|
|
set_fact:
|
|
upgrade_leapp_enabled: >-
|
|
{{ _upgradeLeappEnabled | bool and
|
|
ansible_facts['distribution'] == 'RedHat' and
|
|
ansible_facts['distribution_major_version'] is version('7', '==') }}
|
|
upgrade_leapp_debug: {get_param: UpgradeLeappDebug}
|
|
upgrade_leapp_devel_skip: {get_param: UpgradeLeappDevelSkip}
|
|
upgrade_leapp_command_options: {get_param: UpgradeLeappCommandOptions}
|
|
upgrade_leapp_reboot_timeout: {get_param: UpgradeLeappRebootTimeout}
|
|
vars:
|
|
_upgradeLeappEnabled: {get_param: UpgradeLeappEnabled}
|
|
tags:
|
|
- always
|
|
|
|
- name: system_upgrade_prepare step 3
|
|
tags:
|
|
- never
|
|
- system_upgrade
|
|
- system_upgrade_prepare
|
|
when:
|
|
- step|int == 3
|
|
- upgrade_leapp_enabled
|
|
block:
|
|
- name: remove all OpenStack packages
|
|
shell: |
|
|
yum -y remove *el7ost* -- \
|
|
-*openvswitch* \
|
|
-python2-babel \
|
|
-python2-dateutil \
|
|
-python2-ipaddress \
|
|
-python2-jinja2 \
|
|
-python2-markupsafe \
|
|
-python2-six
|
|
- name: install leapp
|
|
package:
|
|
name: leapp
|
|
state: latest
|
|
- name: "add packages into Leapp's to_remove file"
|
|
vars:
|
|
pkg_to_remove: { get_param: UpgradeLeappToRemove }
|
|
lineinfile:
|
|
path: "/etc/leapp/transaction/to_remove"
|
|
line: "{{ item }}"
|
|
loop: "{{ pkg_to_remove }}"
|
|
- name: "add packages into Leapp's to_install file"
|
|
vars:
|
|
pkg_to_install: { get_param: UpgradeLeappToInstall }
|
|
lineinfile:
|
|
path: "/etc/leapp/transaction/to_install"
|
|
line: "{{ item }}"
|
|
loop: "{{ pkg_to_install }}"
|
|
- name: "check sshd_config file"
|
|
stat:
|
|
path: "/etc/ssh/sshd_config"
|
|
register: sshd_config_result
|
|
- name: "add PermitRootLogin option for leapp"
|
|
lineinfile:
|
|
path: "/etc/ssh/sshd_config"
|
|
regexp: "^(# *)?PermitRootLogin"
|
|
line: "PermitRootLogin without-password"
|
|
- name: system_upgrade_prepare step 4
|
|
tags:
|
|
- never
|
|
- system_upgrade
|
|
- system_upgrade_prepare
|
|
when: step|int == 4
|
|
block:
|
|
- name: run leapp upgrade (download packages)
|
|
shell: >
|
|
{% if upgrade_leapp_devel_skip|default(false) %}{{ upgrade_leapp_devel_skip }}{% endif %}
|
|
leapp upgrade
|
|
{% if upgrade_leapp_debug|default(true) %}--debug{% endif %}
|
|
{% if upgrade_leapp_command_options|default(false) %}{{ upgrade_leapp_command_options }}{% endif %}
|
|
when: upgrade_leapp_enabled
|
|
|
|
- name: system_upgrade_run step 4
|
|
tags:
|
|
- never
|
|
- system_upgrade
|
|
- system_upgrade_run
|
|
# In case someone needs to re-run system_upgrade_run post-tasks
|
|
# but doesn't want to reboot, they can run with
|
|
# `--skip-tags system_upgrade_reboot`.
|
|
- system_upgrade_reboot
|
|
when:
|
|
- step|int == 4
|
|
- upgrade_leapp_enabled
|
|
block:
|
|
- name: reboot to perform the upgrade
|
|
reboot:
|
|
reboot_timeout: "{{upgrade_leapp_reboot_timeout}}"
|
|
- name: Clear gathered facts from all currently targeted hosts
|
|
meta: clear_facts
|
|
- name: Force facts refresh after OS upgrade to refresh cache.
|
|
setup:
|
|
|
|
- name: Package and repo update tasks
|
|
when: step|int == 0
|
|
block:
|
|
- name: Run UpgradeInitCommand
|
|
shell:
|
|
list_join:
|
|
- ''
|
|
- - "#!/bin/bash\n\n"
|
|
- "if [[ -f /etc/resolv.conf.save ]] ; then rm /etc/resolv.conf.save; fi\n\n"
|
|
- {get_param: UpgradeInitCommand}
|
|
- name: Run UpgradeInitCommonCommand
|
|
shell:
|
|
list_join:
|
|
- ''
|
|
- - "#!/bin/bash\n\n"
|
|
- {get_param: UpgradeInitCommonCommand}
|
|
- name: Ensure TripleO prerequisite packages are installed
|
|
package:
|
|
name:
|
|
- jq
|
|
- lvm2
|
|
- net-snmp
|
|
- openstack-selinux
|
|
- os-net-config
|
|
- pacemaker
|
|
- pcs
|
|
- puppet-tripleo
|
|
- python3-heat-agent*
|
|
- rsync
|
|
state: present
|
|
when: ansible_distribution_major_version == '8'
|
|
- name: Special treatment for OpenvSwitch
|
|
tripleo_ovs_upgrade:
|
|
when:
|
|
- step|int == 2
|
|
register: ovs_upgrade
|
|
- name: Always ensure the openvswitch service is enabled and running after upgrades
|
|
service:
|
|
name: openvswitch
|
|
enabled: yes
|
|
state: started
|
|
when:
|
|
- step|int == 2
|
|
- ovs_upgrade.changed|bool
|
|
- name: Install libibverbs (https://bugs.launchpad.net/tripleo/+bug/1817743)
|
|
when: step|int == 2
|
|
package:
|
|
name: libibverbs
|
|
state: installed
|
|
- name: Check for os-net-config upgrade
|
|
shell: "yum check-upgrade | awk '/os-net-config/{print}'"
|
|
register: os_net_config_need_upgrade
|
|
when: step|int == 3
|
|
- name: Check that os-net-config has configuration
|
|
shell: test -s /etc/os-net-config/config.json
|
|
register: os_net_config_has_config
|
|
failed_when: false
|
|
when: step|int == 3
|
|
- block:
|
|
- name: Upgrade os-net-config
|
|
package: name=os-net-config state=latest
|
|
- name: take new os-net-config parameters into account now
|
|
command: os-net-config --no-activate -c /etc/os-net-config/config.json -v --detailed-exit-codes
|
|
register: os_net_config_upgrade
|
|
failed_when: os_net_config_upgrade.rc not in [0,2]
|
|
changed_when: os_net_config_upgrade.rc == 2
|
|
when:
|
|
- step|int == 3
|
|
- os_net_config_need_upgrade.stdout
|
|
- os_net_config_has_config.rc == 0
|
|
# Exclude ansible until https://github.com/ansible/ansible/issues/56636
|
|
# is available
|
|
- name: Update all packages
|
|
when:
|
|
- step|int == 3
|
|
- not skip_package_update|bool
|
|
yum:
|
|
name: '*'
|
|
state: latest
|
|
exclude: ansible
|
|
vars:
|
|
skip_package_update: {get_param: SkipPackageUpdate}
|
|
external_upgrade_tasks:
|
|
- name: Clean up upgrade artifacts
|
|
when: step|int == 1
|
|
tags:
|
|
- never
|
|
- system_upgrade_cleanup
|
|
block:
|
|
- name: cleanup tripleo_persist
|
|
include_role:
|
|
name: tripleo_persist
|
|
tasks_from: cleanup.yml
|
|
- name: cleanup tripleo_transfer
|
|
include_role:
|
|
name: tripleo_transfer
|
|
tasks_from: cleanup.yml
|
|
update_tasks:
|
|
- name: Enforce RHOSP rules regarding subscription.
|
|
include_role:
|
|
name: tripleo_redhat_enforce
|
|
vars:
|
|
skip_rhel_enforcement: {get_param: SkipRhelEnforcement}
|
|
when:
|
|
- step|int == 0
|
|
- ansible_distribution == 'RedHat'
|
|
- not (skip_rhel_enforcement | bool)
|
|
- name: Check for existing yum.pid
|
|
stat: path=/run/yum.pid
|
|
register: yum_pid_file
|
|
when: step|int == 0 or step|int == 3
|
|
- name: Exit if existing yum process
|
|
fail: msg="ERROR existing yum.pid detected - can't continue! Please ensure there is no other package update process for the duration of the minor update worfklow. Exiting."
|
|
when: (step|int == 0 or step|int == 3) and yum_pid_file.stat.exists
|
|
- name: Special treatment for OpenvSwitch
|
|
tripleo_ovs_upgrade:
|
|
when:
|
|
- step|int == 2
|
|
register: ovs_upgrade
|
|
- name: Always ensure the openvswitch service is enabled and running after upgrades
|
|
service:
|
|
name: openvswitch
|
|
enabled: yes
|
|
state: started
|
|
when:
|
|
- step|int == 2
|
|
- ovs_upgrade.changed|bool
|
|
# Exclude ansible until https://github.com/ansible/ansible/issues/56636
|
|
# is available
|
|
- name: Update all packages
|
|
when:
|
|
- step|int == 3
|
|
- not skip_package_update|bool
|
|
yum:
|
|
name: '*'
|
|
state: latest
|
|
exclude: ansible
|
|
vars:
|
|
skip_package_update: {get_param: SkipPackageUpdate}
|
|
# This is failsafe unless openvswitch package does something
|
|
# to the systemd service state.
|
|
- name: Ensure openvswitch is running after update
|
|
when: step|int == 3
|
|
service:
|
|
name: openvswitch
|
|
enabled: yes
|
|
state: started
|
|
ignore_errors: true
|