Parameterize OVB stack flavors

Running quickstart with OVB  needs to work with multiple host
clouds where different flavor sets are available.

This review:
* Adds variables to the flavor specifications so that they can be
  overwritten by config files per host cloud environment
* Adds functionality to clean up stacks and keypairs
  from the host cloud environment
* Includes cloning the Openstack Virtual Baremetal repo
  within the ovb-manage-stack role
* Deletes the clouds.yaml file so it is not available,
  with the tenant password exposed for longer than
  necessary to create or delete the stack
* Changes the default key location to use
  the user's default key on the undercloud

Change-Id: I5f0f7327a2509ef889b80a35024478b13df2c2a9

playbooks/ovb-create-stack.yml

@@ -1,14 +1,20 @@
 ---
+# Add the virthost to the in-memory inventory.  The inventory is not
+# written out to disk unless you call the `tripleo-inventory` role.
+- name: Add the virthost to the inventory
+  hosts: localhost
+  tasks:
+    - name: Add virthost
+      add_host:
+        name: "virthost"
+        groups: "virthost"
+        ansible_host: "{{ virthost }}"
+
 - name: Create the OVB stack
   hosts: localhost
   roles:
     - { role: ovb-manage-stack, ovb_manage_stack_mode: 'create' }
 
-- name: Build test packages using DLRN
-  hosts: localhost
-  roles:
-    - {role: build-test-packages, when: build_test_packages|default(false)|bool }
-
 - name: Setup the undercloud
   hosts: undercloud
   gather_facts: no
@@ -23,18 +29,20 @@
   roles:
     - tripleo-inventory
 
-- name: Install the built package on the undercloud
-  hosts: undercloud
-  gather_facts: no
-  vars:
-    ib_repo_host: localhost
-  roles:
-    - {role: install-built-repo, when: build_test_packages|default(false)|bool }
-
 - name: Fetch the overcloud images
   hosts: undercloud
   gather_facts: no
-  vars:
-      ansible_user: root
   roles:
    - fetch-images
+
+- name: Build test packages using DLRN
+  hosts: undercloud
+  roles:
+    - {role: build-test-packages, when: build_test_packages|default(false)|bool }
+
+- name: Install the built package on the undercloud
+  hosts: undercloud
+  gather_facts: no
+  roles:
+    - {role: install-built-repo, when: build_test_packages|default(false)|bool }
+

releasenotes/notes/add-default-cloud-settings-60e48de95aa4c2ac.yaml

@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Added public cloud settings.
+    All public cloud settings can be overridden to deploy on custom cloud
+    environments.
+    Added functionality to remove stacks and key pairs from the host cloud.

roles/ovb-manage-stack/defaults/main.yml

@@ -39,7 +39,19 @@ latest_guest_image:
     rhos-9: rhel-7.3-server-x86_64-latest
     rhos-10: rhel-7.3-server-x86_64-latest
 
-existing_key_location: '{{ local_working_dir }}'
+port_security: true
+
+baremetal_ports_template:
+    multiple-nics: baremetal-ports-all.yaml
+    multi-nic: baremetal-ports-all.yaml
+    public-bond: baremetal-ports-public-bond.yaml
+
+baremetal_port_security_template:
+    multiple-nics: baremetal-ports-all-port-security.yaml
+    multi-nic: baremetal-ports-all-port-security.yaml
+    public-bond: baremetal-ports-public-bond-port-security.yaml
+
+existing_key_location: '~/.ssh/id_rsa'
 remove_image_from_host_cloud: false
 
 bmc_flavor: m1.medium
@@ -55,6 +67,7 @@ private_net: '{{ prefix }}private'
 node_count: 2
 public_net: '{{ prefix }}public'
 provision_net: '{{ prefix }}provision'
+provision_net_cidr: 192.0.2.0/24
 
 # QuintupleO-specific params ignored by virtual-baremetal.yaml
 undercloud_name: '{{ prefix }}undercloud'
@@ -73,3 +86,8 @@ registered_releases:
   - rhos-9
   - rhos-10
 
+# OVB environment clean up
+cleanup_stacks_keypairs: false
+cleanup_stacks_keypairs_script: cleanup-stacks-keypairs.sh.j2
+cleanup_stacks_keypairs_log: "{{ local_working_dir }}/cleanup_stacks_keypairs.log"
+

roles/ovb-manage-stack/tasks/ovb-cleanup-stacks-keypairs.yml

@@ -0,0 +1,12 @@
+---
+- name: Create OVB environment clean up script
+  template:
+      src: "{{ cleanup_stacks_keypairs_script }}"
+      dest: "{{ local_working_dir }}/cleanup-stacks-keypairs.sh"
+      mode: 0755
+
+- name: Remove existing stacks and key pairs
+  shell: >
+      set -o pipefail &&
+      {{ local_working_dir }}/cleanup-stacks-keypairs.sh 2>&1 {{ timestamper_cmd }} >
+      {{ cleanup_stacks_keypairs_log }}

roles/ovb-manage-stack/tasks/ovb-create-stack.yml

@@ -10,6 +10,15 @@
   file:
     path: "{{ local_working_dir }}"
 
+- name: Clone Openstack Virtual Baremetal repo if it does not exist
+  git:
+      repo: https://github.com/cybertron/openstack-virtual-baremetal.git
+      dest: "{{ local_working_dir }}/openstack-virtual-baremetal"
+      version: master
+
+- include: ovb-cleanup-stacks-keypairs.yml
+  when: cleanup_stacks_keypairs|bool
+
 - name: generate prefix for all run-related entities
   set_fact:
     prefix="{{ tmp.node_prefix }}"
@@ -19,12 +28,12 @@
 
 - name: copy key inserted in image to undercloud_key location
   copy:
-      src: "{{ existing_key_location }}/{{ item }}"
-      dest: "{{ local_working_dir }}/{{ item }}"
+      src: "{{ existing_key_location }}{{ item }}"
+      dest: "{{ local_working_dir }}/id_rsa_undercloud{{ item }}"
       mode: 0600
   with_items:
-      - id_rsa_undercloud
-      - id_rsa_undercloud.pub
+      - ""
+      - .pub
 
 - name: Copy deploy stack parameters template
   template:
@@ -32,34 +41,13 @@
       dest: "{{ local_working_dir }}/{{ prefix }}env.yaml"
       mode: 0755
 
-# NOTE: 'multi-nic' is deprecated
-- name: Add templates for multiple-nics
-  blockinfile:
-    dest: "{{ local_working_dir }}/{{ prefix }}env.yaml"
-    insertafter: "## in baremetal-networks-all.yaml"
-    content: |
-      ## multiple-nics
-        OS::OVB::BaremetalNetworks: {{ templates_dir }}/baremetal-networks-all.yaml
-        OS::OVB::BaremetalPorts: {{ templates_dir }}/baremetal-ports-all.yaml
-  when: network_isolation_type in ['multi-nic', 'multiple-nics']
-
-- name: Add templates for public-bond
-  blockinfile:
-    dest: "{{ local_working_dir }}/{{ prefix }}env.yaml"
-    insertafter: "## in baremetal-networks-all.yaml"
-    content: |
-      ## public-bond
-        OS::OVB::BaremetalNetworks: {{ templates_dir }}/baremetal-networks-all.yaml
-        OS::OVB::BaremetalPorts: {{ templates_dir }}/baremetal-ports-public-bond.yaml
-  when: network_isolation_type == 'public-bond'
-
 - name: Add keypair
   shell: >
       export OS_USERNAME="{{ os_username }}";
       export OS_PASSWORD="{{ os_password }}";
       export OS_TENANT_NAME="{{ os_tenant_name }}";
       export OS_AUTH_URL="{{ os_auth_url }}";
-      nova keypair-add --pub-key ~/.ssh/id_rsa.pub {{ prefix }}key
+      nova keypair-add --pub-key {{ existing_key_location }}.pub {{ prefix }}key
   ignore_errors: true
   no_log: true
 
@@ -79,17 +67,6 @@
   register: stack_deployment
   environment:
     OS_CLIENT_CONFIG_FILE: "{{ local_working_dir }}/clouds.yaml"
-  ignore_errors: true
-
-- name: Show stack deployment information
-  shell: >
-      export OS_USERNAME="{{ os_username }}";
-      export OS_PASSWORD="{{ os_password }}";
-      export OS_TENANT_NAME="{{ os_tenant_name }}";
-      export OS_AUTH_URL="{{ os_auth_url }}";
-      heat stack-show {{ stack_name }}
-  when: stack_deployment.result is not defined
-  no_log: true
 
 - name: set fact for undercloud floating IP address
   set_fact:
@@ -122,17 +99,8 @@
       export OS_CLOUD="{{ cloud_name}}";
       {{ ovb_dir }}/bin/build-nodes-json --env {{ local_working_dir }}/{{ prefix }}env.yaml
   register: nodes_json
-  no_log: true
 
-- name: Ensure directories exist for network-environment copy
+- name: remove clouds.yaml file
   file:
-      path: "{{ network_env_file_dest }}"
-      state: directory
-      mode: 0755
-
-- name: Copy the network-environment.yaml
-  copy:
-      src: "{{ network_environment_file }}"
-      dest: "{{ network_env_file_dest }}"
-      mode: 0755
-
+      path: "{{ local_working_dir }}/clouds.yaml"
+      state: absent

roles/ovb-manage-stack/tasks/ovb-delete-stack.yml

@@ -1,3 +1,16 @@
+---
+- name: Clone Openstack Virtual Baremetal repo if it does not exist
+  git:
+      repo: https://github.com/cybertron/openstack-virtual-baremetal.git
+      dest: "{{ local_working_dir }}/openstack-virtual-baremetal"
+      version: master
+
+- name: copy clouds.yaml file
+  template:
+      src: clouds.yaml.j2
+      dest: "{{ local_working_dir }}/clouds.yaml"
+      mode: 0755
+
 - name: Remove stack
   os_stack:
       name: "{{ stack_name }}"
@@ -17,3 +30,8 @@
   ignore_errors: true
   no_log: true
 
+- name: remove clouds.yaml file
+  file:
+      path: "{{ local_working_dir }}/clouds.yaml"
+      state: absent
+

roles/ovb-manage-stack/templates/cleanup-stacks-keypairs.sh.j2

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+set -eux
+
+### --start_docs
+
+## --------------------------------------------------------------
+## Clean up the  OVB environment by removing stacks and key pairs
+## --------------------------------------------------------------
+
+## ##################################################
+## Find the existing stacks and keys pairs to delete
+## ##################################################
+
+## * Return all stacks in COMPLETE or CREATE_FAILED state
+## ::
+
+ALL_STACKS=$({{ local_working_dir }}/bin/openstack stack list | grep "COMPLETE\|CREATE_FAILED" | cut -d '|' -f 3)
+
+## * Delete stacks in COMPLETE or CREATE_FAILED state - one stack at a time
+## ::
+
+for STACK in $ALL_STACKS; do
+    echo "Deleting Heat stack $STACK"
+    {{ local_working_dir }}/bin/openstack stack delete --yes $STACK
+    COUNTER=0
+    while [[ $({{ local_working_dir }}/bin/openstack stack list) == *"$STACK"* ]]; do
+        if [[ $COUNTER -gt 6 ]]; then
+            echo "$STACK could not be deleted in time or is in FAILED state."
+            exit 1
+        else
+            echo "Polling for stack $STACK to be deleted"
+            sleep 30
+            COUNTER=$((COUNTER+1))
+        fi
+    done
+
+## * Delete the key pair associated with the stack
+## ::
+
+    KEYPAIR=$(echo ${STACK/stack/key} | sed 's/oooq-//')
+    if [[ $({{ local_working_dir }}/bin/nova keypair-list) == *"$KEYPAIR"* ]]; then
+        echo "Deleting key pair $KEYPAIR"
+        {{ local_working_dir }}/bin/nova keypair-delete $KEYPAIR
+    fi
+done
+
+### --stop_docs

roles/ovb-manage-stack/templates/env.yaml.j2

@@ -4,11 +4,11 @@ parameters:
   os_tenant: {{ os_tenant_name }}
   os_auth_url: {{ os_auth_url }}
 
-  bmc_flavor: m1.micro
+  bmc_flavor: {{ bmc_flavor }}
   bmc_image: 'bmc-base'
   bmc_prefix: '{{ prefix }}bmc'
 
-  baremetal_flavor: m1.large
+  baremetal_flavor: {{ baremetal_flavor }}
   baremetal_image: 'ipxe-boot'
   baremetal_prefix: '{{ prefix }}baremetal'
 
@@ -17,11 +17,12 @@ parameters:
   node_count: {{ node_count }}
   public_net: '{{ prefix }}public'
   provision_net: '{{ prefix }}provision'
+  provision_net_cidr: {{ provision_net_cidr }}
 
   # QuintupleO-specific params ignored by virtual-baremetal.yaml
   undercloud_name: '{{ prefix }}undercloud'
   undercloud_image: '{{ latest_undercloud_image }}'
-  undercloud_flavor: m1.xlarge
+  undercloud_flavor: {{ undercloud_flavor }}
   external_net:  '{{ external_net }}'
   undercloud_user_data: |
         #!/bin/sh
@@ -52,6 +53,26 @@ resource_registry:
 ## in baremetal-networks-all.yaml
 #  OS::OVB::BaremetalNetworks: {{ templates_dir }}/baremetal-networks-all.yaml
 #  OS::OVB::BaremetalPorts: {{ templates_dir }}/baremetal-ports-all.yaml
+{% if network_isolation_type in ['multi-nic', 'multiple-nics', 'public-bond'] and not port_security|bool %}
+  OS::OVB::BaremetalNetworks: {{ templates_dir }}/baremetal-networks-all.yaml
+  OS::OVB::BaremetalPorts: {{ templates_dir }}/{{ baremetal_ports_template[network_isolation_type] }}
+{% endif %}
+{% if network_isolation_type in ['multi-nic', 'multiple-nics', 'public-bond'] and port_security|bool %}
+  OS::OVB::BaremetalNetworks: {{ templates_dir }}/baremetal-networks-all.yaml
+{% endif %}
+
+## Uncomment to use the neutron port-security extension to allow DHCP from
+## the undercloud to overcloud nodes.  There are *-port-security.yaml versions
+## of all the standard port resource templates.  The examples below are to use
+## port-security with a minimal deployment (i.e. no network isolation).
+#  OS::OVB::BaremetalPorts: templates/baremetal-ports-default-port-security.yaml
+#  OS::OVB::BMCPort: templates/bmc-port-port-security.yaml
+#  OS::OVB::UndercloudPorts: templates/undercloud-ports-port-security.yaml
+{% if network_isolation_type in ['multi-nic', 'multiple-nics', 'public-bond'] and port_security|bool %}
+  OS::OVB::BaremetalPorts: {{ templates_dir }}/{{ baremetal_port_security_template[network_isolation_type] }}
+  OS::OVB::BMCPort: {{ templates_dir }}/bmc-port-port-security.yaml
+  OS::OVB::UndercloudPorts: {{ templates_dir }}/undercloud-ports-port-security.yaml
+{% endif %}
 
 ## Uncomment to deploy a quintupleo environment without an undercloud.
 #  OS::OVB::UndercloudEnvironment: OS::Heat::None

roles/undercloud-setup/templates/ovb-undercloud-connectivity.sh.j2

@@ -10,6 +10,7 @@ set -eux
 ## * Configure external interface
 ## ::
 
+# TODO: move this to overcloud-prep-network role
 sudo ip addr add {{ external_interface_ip }} dev {{ external_interface }}
 
 ## * Get mac address of external interface
@@ -39,6 +40,7 @@ IPV6_PEERDNS=yes
 IPV6_PEERROUTES=yes
 EOF'
 
+sudo ifdown {{ external_interface }}
 sudo ifup {{ external_interface }}
 
 ## * Set MTU values
@@ -46,15 +48,19 @@ sudo ifup {{ external_interface }}
 
 {% for interface in (mtu_interface) %}
   sudo ip link set {{ interface }} mtu {{ mtu }}
-  echo "MTU={{ mtu }}" | sudo tee /etc/sysconfig/network-scripts/ifcfg-{{ interface }}
+  echo "MTU={{ mtu }}" | sudo tee -a /etc/sysconfig/network-scripts/ifcfg-{{ interface }}
 {% endfor %}
 
-## * Add nameserver to resolv.conf
+## * Add custom nameserver to resolv.conf if required
 ## ::
 
-sudo sed -i 's/^nameserver/#nameserver/g' /etc/resolv.conf
-cat <<EOF | sudo tee /etc/resolv.conf
-nameserver {{ custom_nameserver }}
+{% if custom_nameserver is defined %}
+sudo sed -i '/^nameserver/d' /etc/resolv.conf
+{% for name_server in custom_nameserver %}
+cat <<EOF | sudo tee -a /etc/resolv.conf
+nameserver {{ name_server }}
 EOF
+{% endfor %}
+{% endif %}
 
 ### --stop_docs