starlingx
/
ansible-playbooks
Code Issues Proposed changes

Merge remote-tracking branch 'origin/master' into f/centos8 

Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: I961d30c4be1130f8ebf6008e6065eac29ddafa87
This commit is contained in:
Charles Short 2021-06-02 13:56:08 -04:00
parent d8eb5af8a1 b5ec9fdc57
commit 163ec9989c
116 changed files with 3803 additions and 819 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
examples/migrate/migrate-subcloud1-overrides-EXAMPLE.yml Normal file
View File

@ -0,0 +1,6 @@
---
{
"ansible_ssh_pass": "St8rlingX*",
"external_oam_node_0_address": "10.10.10.13",
"external_oam_node_1_address": "10.10.10.14",
}

1
playbookconfig/centos/playbookconfig.spec
View File

@ -33,6 +33,7 @@ This package contains playbooks used for configuring StarlingX.
%install
make install DESTDIR=%{buildroot}%{local_stx_ansible_dir}
chmod 755 %{buildroot}%{local_stx_ansible_dir}/playbooks/roles/rehome-subcloud/update-keystone-data/files/validate_keystone_passwords.sh
%post
cp %{local_stx_ansible_dir}/playbooks/ansible.cfg %{local_etc_ansible}

2
playbookconfig/opensuse/playbookconfig.spec
View File

@ -37,6 +37,8 @@ make install DESTDIR=%{buildroot}%{local_stx_ansible_dir}
chmod 755 %{buildroot}%{local_stx_ansible_dir}/playbooks/roles/bootstrap/persist-config/files/populate_initial_config.py
chmod 755 %{buildroot}%{local_stx_ansible_dir}/playbooks/roles/bootstrap/prepare-env/files/check_root_disk_size.py
chmod 755 %{buildroot}%{local_stx_ansible_dir}/playbooks/roles/backup/backup-system/files/fm_alarm.py
chmod 755 %{buildroot}%{local_stx_ansible_dir}/playbooks/roles/rehome-subcloud/update-keystone-data/files/migrate_keystone_ids.py
chmod 755 %{buildroot}%{local_stx_ansible_dir}/playbooks/roles/rehome-subcloud/update-keystone-data/files/validate_keystone_passwords.sh
%post

4
playbookconfig/src/playbooks/ansible.cfg
View File

@ -100,7 +100,7 @@ stdout_callback = skippy
#sudo_flags = -H -S -n
# SSH timeout
#timeout = 10
timeout = 60
# default user to use for playbooks if user is not specified
# (/usr/bin/ansible will use current user as default)
@ -426,7 +426,7 @@ pipelining = False
# Number of times to retry an SSH connection to a host, in case of UNREACHABLE.
# For each retry attempt, there is an exponential backoff,
# so after the first attempt there is 1s wait, then 2s, 4s etc. up to 30s (max).
#retries = 3
retries = 10
[persistent_connection]

2
playbookconfig/src/playbooks/bootstrap.yml
View File

@ -20,7 +20,7 @@
- bootstrap/prepare-env
- { role: bootstrap/validate-config, become: yes }
- { role: bootstrap/store-passwd, when: save_password, become: yes }
- { role: bootstrap/apply-bootstrap-manifest, when: not replayed, become: yes }
- { role: bootstrap/apply-manifest, become: yes }
- { role: bootstrap/persist-config, become: yes }
- { role: bootstrap/bringup-essential-services, become: yes }
- { role: bootstrap/bringup-bootstrap-applications, become: yes }

98
playbookconfig/src/playbooks/enable_secured_etcd.yml Normal file
View File

@ -0,0 +1,98 @@
---
#
# Copyright (c) 2020 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
# ROLE DESCRIPTION:
# Enable secured etcd.
# This file can be removed in the release after STX5.0
- hosts: all
become: yes
become_user: root
tasks:
- name: Create cert for etcd server and client
import_role:
name: common/create-etcd-certs
- name: Create etcd cert permdir
file:
path: "{{ config_permdir + '/etcd' }}"
state: directory
mode: 0700
- name: Copy etcd certificates to config_permdir
copy:
src: "/etc/etcd/{{ item }}"
dest: "{{ config_permdir + '/etcd' }}/{{ item }}"
remote_src: yes
force: yes
with_items:
- "etcd-server.crt"
- "etcd-server.key"
- "etcd-client.crt"
- "etcd-client.key"
- "apiserver-etcd-client.crt"
- "apiserver-etcd-client.key"
- "ca.crt"
- "ca.key"
- name: Copy apiserver-etcd-client cert
copy:
src: "/etc/etcd/{{ item }}"
dest: "/etc/kubernetes/pki/{{ item }}"
remote_src: yes
force: yes
with_items:
- "apiserver-etcd-client.crt"
- "apiserver-etcd-client.key"
- name: Write security settings to hieradata
lineinfile:
path: "{{ puppet_permdir }}/hieradata/static.yaml"
line: "{{ item }}"
with_items:
- "platform::etcd::params::security_enabled: true"
- "platform::etcd::params::bind_address: {{ cluster_floating_address }}"
- "platform::etcd::params::bind_address_version: {{ etcd_listen_address_version }}"
- name: Create list of etcd classes to pass to puppet
copy:
dest: "/tmp/etcd.yml"
content: |
classes:
- platform::etcd::upgrade::runtime
- name: Applying puppet for enabling etcd security
command: >
/usr/local/bin/puppet-manifest-apply.sh
{{ puppet_permdir }}/hieradata/
{{ ipaddress }}
controller runtime /tmp/etcd.yml
register: etcd_apply_result
failed_when: false
environment:
LC_ALL: "en_US.UTF-8"
- block:
- name: Remove bind address and address version
lineinfile:
dest: "{{ puppet_permdir }}/hieradata/static.yaml"
regexp: "{{ item }}"
state: absent
with_items:
- "^platform::etcd::params::bind_address"
- "^platform::etcd::params::bind_address_version"
- name: Revert security_enable flag
lineinfile:
dest: "{{ puppet_permdir }}/hieradata/static.yaml"
regexp: "^platform::etcd::params::security_enabled"
line: "platform::etcd::params::security_enabled: false"
- name: Fail if puppet manifest apply script returns an error
fail:
msg: >-
Failed to apply etcd manifest!
when: etcd_apply_result.rc != 0

10
playbookconfig/src/playbooks/host_vars/backup-restore/default.yml
View File

@ -75,6 +75,12 @@ openstack_backup_filename_prefix: "{{ inventory_hostname }}_openstack_backup"
#
# This variable is used for StarlingX OpenStack application restore only
#
# The dc_vault backup tarball will be named in this format:
# <dc_vault_backup_filename_prefix>_<timestamp>.tgz
#
dc_vault_backup_filename_prefix: "{{ inventory_hostname }}_dc_vault_backup"
restore_cinder_glance_data: false
# Default directory where the system backup tarballs fetched from the
@ -94,3 +100,7 @@ restore_openstack_continue: false
# When set to false, disk partitions that were previously used for Ceph data are
# not wiped. Otherwise, all disks are wiped as part of the bootstrap.
wipe_ceph_osds: false
# The following parameter indicates where the backup data file(s) reside,
# on the host itself (true) or off box (false).
on_box_data: true

6
playbookconfig/src/playbooks/host_vars/rehome-subcloud/default.yml Normal file
View File

@ -0,0 +1,6 @@
---
password_change: false
cluster_service_subnet: 10.96.0.0/12
# cluster_service_start_address:
# cluster_service_end_address:

29
playbookconfig/src/playbooks/install.yml
View File

@ -1,6 +1,6 @@
---
#
# Copyright (c) 2020 Wind River Systems, Inc.
# Copyright (c) 2020-2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
@ -9,6 +9,7 @@
hosts: all
gather_facts: false
become: no
tasks:
- set_fact:
ansible_port: "{{ ansible_port | default(22) }}"
@ -164,22 +165,10 @@
timeout={{ wait_for_timeout }}
state=started
- set_fact:
override_files_dir: "{{ lookup('env', 'HOME') }}"
password_change_responses:
yes/no: 'yes'
sysadmin*: 'sysadmin'
\(current\) UNIX password: 'sysadmin'
(?i)New password: "{{ ansible_ssh_pass }}"
(?i)Retype new password: "{{ ansible_ssh_pass }}"
- import_role:
name: common/prepare-env
- name: Check if the system is ready
command: "systemctl is-active multi-user.target"
register: check_active
retries: 30
delay: 40
until: check_active.rc == 0
no_log: true
- name: Run validate host playbook post install
import_playbook: validate_host.yml
vars:
check_system: true
check_load: false
check_bootstrap_address: false
check_patches: false

116
playbookconfig/src/playbooks/migrate_sx_to_dx.yml Normal file
View File

@ -0,0 +1,116 @@
---
#
# Copyright (c) 2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# This playbook provides the capability to migrate a subcloud from
# AIO-SX to AIO-DX. It will lock the subcloud, perform the necessary
# configuration updates, then unlock the subcloud. NOTE: This is for a
# non-ceph subcloud.
#
# To run the playbook, the user would define an overrides file that
# provides the required variable settings, passing this on the ansible
# command-line.
# (see migrate-subcloud1-overrides-EXAMPLE.yml)
#
# Example command:
# ansible-playbook /usr/share/ansible/stx-ansible/playbooks/migrate_sx_to_dx.yml \
# -e @migrate-subcloud1-overrides.yml -i subcloud1, -v
#
- hosts: all
gather_facts: no
tasks:
- name: Check required parameters
debug:
msg:
- "Validating required migration parameters:"
- "ansible_ssh_pass: {{ ansible_ssh_pass | regex_replace('.', '*') }}"
- "external_oam_node_0_address: {{ external_oam_node_0_address }}"
- "external_oam_node_1_address: {{ external_oam_node_1_address }}"
failed_when: (ansible_ssh_pass | length == 0) or
(external_oam_node_0_address | ipaddr == false) or
(external_oam_node_1_address | ipaddr == false)
- name: Query management interface configuration
shell: |
source /etc/platform/openrc
system interface-network-list controller-0 --nowrap | awk '$8 == "mgmt" { print $6 }'
register: mgmt_if
- name: Query cluster-host interface configuration
shell: |
source /etc/platform/openrc
system interface-network-list controller-0 --nowrap | awk '$8 == "cluster-host" { print $6 }'
register: cluster_host_if
- name: Validate network interface configuration
fail:
msg: |
The cluster-host and management networks cannot be on the
loopback interface for simplex to duplex migration
when: mgmt_if.stdout == 'lo' or
cluster_host_if.stdout == 'lo'
- set_fact:
duplex_mode: "{{ duplex_mode | default('duplex') }}"
kubernetes_duplex_migration_flag: '/var/run/.kubernetes_duplex_migration_complete'
- name: Query system_mode
shell: source /etc/platform/openrc; system show | awk '$2 == "system_mode" { print $4 }'
register: current_system_mode
- name: Query oam_c0_ip
shell: source /etc/platform/openrc; system oam-show | awk '$2 == "oam_c0_ip" { print $4 }'
register: current_oam_c0_ip
- name: Query oam_c1_ip
shell: source /etc/platform/openrc; system oam-show | awk '$2 == "oam_c1_ip" { print $4 }'
register: current_oam_c1_ip
- block:
- name: Lock host
include_role:
name: common/host-lock
vars:
target_host: 'controller-0'
- name: Update system mode
expect:
echo: yes
command: bash -c 'source /etc/platform/openrc; system modify -m {{ duplex_mode }} '
responses:
(.*)Are you sure you want to continue(.*): "yes"
failed_when: false
when: current_system_mode.stdout == 'simplex'
# Wait up to 20 minutes for the runtime manifest triggered by the previous
# "system modify -m duplex" command, as there may be other runtime manifests
# being applied
- name: Wait for kubernetes duplex migration manifest completion, up to 20 minutes
wait_for:
path: "{{ kubernetes_duplex_migration_flag }}"
state: present
timeout: 1200
msg: Timeout waiting for kubernetes duplex migration manifest completion
- name: Update OAM configuration
shell: >-
source /etc/platform/openrc;
system oam-modify oam_c0_ip={{ external_oam_node_0_address }} oam_c1_ip={{ external_oam_node_1_address }}
args:
warn: false
when: current_oam_c0_ip.stdout != external_oam_node_0_address or
current_oam_c1_ip.stdout != external_oam_node_1_address
- name: Unlock host
include_role:
name: common/host-unlock
vars:
target_host: 'controller-0'
when: current_system_mode.stdout == 'simplex' or
current_oam_c0_ip.stdout != external_oam_node_0_address or
current_oam_c1_ip.stdout != external_oam_node_1_address

30
playbookconfig/src/playbooks/provision_edgeworker.yml Normal file
View File

@ -0,0 +1,30 @@
---
#
# Copyright (c) 2021 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
- hosts: localhost
gather_facts: no
become: true
roles:
- role: provision-edgeworker/prepare-controller/platform
when: groups['edgeworker'] | length > 0
- role: provision-edgeworker/prepare-controller/kubernetes
when: groups['edgeworker'] | length > 0
- hosts: edgeworker
become: true
strategy: free
roles:
- role: provision-edgeworker/prepare-edgeworker/os
- role: provision-edgeworker/prepare-edgeworker/kubernetes
- hosts: localhost
gather_facts: no
become: true
roles:
- role: provision-edgeworker/prepare-controller/cleanup
when: groups['edgeworker'] | length > 0

22
playbookconfig/src/playbooks/rehome_subcloud.yml Normal file
View File

@ -0,0 +1,22 @@
---
#
# Copyright (c) 2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
- hosts: all
gather_facts: no
vars_files:
- vars/common/main.yml
- host_vars/rehome-subcloud/default.yml
roles:
- common/prepare-env
- common/validate-target
- { role: rehome-subcloud/prepare-env, become: yes }
- { role: rehome-subcloud/update-network-config, become: yes }
- { role: rehome-subcloud/update-keystone-data, become: yes }
- { role: rehome-subcloud/update-sc-cert, become: yes }
- { role: rehome-subcloud/check-services-status, become: yes }

16
playbookconfig/src/playbooks/restore_dc_vault.yml Normal file
View File

@ -0,0 +1,16 @@
---
#
# Copyright (c) 2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
- hosts: all
gather_facts: no
vars_files:
- host_vars/backup-restore/default.yml
roles:
- { role: common/prepare-env }
- { role: restore-dc-vault/prepare-env }
- { role: restore-dc-vault/restore-dc-vault-directory, become: yes }

2
playbookconfig/src/playbooks/restore_openstack.yml
View File

@ -15,7 +15,5 @@
# Main play
roles:
- { role: common/prepare-env }
- { role: backup-restore/prepare-env }
- { role: restore-openstack/prepare-env, when: not restore_openstack_continue|bool }
- { role: backup-restore/transfer-file, when: not restore_openstack_continue|bool }
- { role: restore-openstack/restore, become: yes }

1
playbookconfig/src/playbooks/restore_platform.yml
View File

@ -15,7 +15,6 @@
- common/prepare-env
- common/validate-target
- restore-platform/prepare-env
- backup-restore/transfer-file
- restore-platform/restore-sw-patches
- name: Run bootstrap playbook with restore mode

4
playbookconfig/src/playbooks/restore_user_images.yml
View File

@ -1,6 +1,6 @@
---
#
# Copyright (c) 2020 Wind River Systems, Inc.
# Copyright (c) 2020-2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
@ -13,7 +13,5 @@
roles:
- { role: common/prepare-env }
- { role: restore-user-images/prepare-env, become: yes }
- { role: backup-restore/prepare-env }
- { role: backup-restore/transfer-file }
- { role: restore-user-images/restore-local-registry-images, become: yes,
docker_images_backup: "{{ target_backup_dir }}/{{ backup_filename }}" }

56
playbookconfig/src/playbooks/roles/backup-restore/validate-input/tasks/main.yml Normal file
View File

@ -0,0 +1,56 @@
---
#
# Copyright (c) 2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# ROLE DESCRIPTION:
# This role validates user input common to all B&R playbooks
#
- name: Set default target where backup tarball inspection takes place
set_fact:
inspection_target: "{{ inventory_hostname }}"
# Set inspection target to Ansible control machine if the backup tarball
# is off-box.
- name: Update target if backup data are off-box
set_fact:
inspection_target: localhost
when: on_box_data|bool == false
- block:
- name: Fail if backup_filename is not defined or set
fail:
msg: "Mandatory configuration parameter backup_filename is not defined or set."
when: backup_filename is not defined or backup_filename is none
- name: Fail if the backup file is off-box and initial_backup_dir is not specified
fail:
msg: "Parameter initial_backup_dir must be specified if the backup tar file is off box."
when: (initial_backup_dir is not defined or initial_backup_dir is none) and
(on_box_data|bool == false)
- name: Set the initial_backup_dir to /opt/platform-backup if not specified and backup file is on the host
set_fact:
initial_backup_dir: /opt/platform-backup
when: (initial_backup_dir is not defined or initial_backup_dir is none) and
(on_box_data|bool == true)
- name: Check if backup file exists
stat:
path: "{{ initial_backup_dir }}/{{ backup_filename }}"
register: backup_stat_result
- block:
- name: Fail if backup file does not exist on the target
fail:
msg: "Backup file {{ initial_backup_dir }}/{{ backup_filename }} does not exist on the target."
when: (on_box_data|bool == true)
- name: Fail if the backup file does not exist locally
fail:
msg: "Backup file {{ initial_backup_dir }}/{{ backup_filename }} does not exist on this machine."
when: (on_box_data|bool == false)
when: not backup_stat_result.stat.exists
delegate_to: "{{ inspection_target }}"

109
playbookconfig/src/playbooks/roles/backup/backup-system/tasks/main.yml
View File

@ -11,6 +11,35 @@
#
- name: Do StarlingX backup
block:
- name: Send application lifecycle notifications for pre-backup semantic check
script: /usr/bin/sysinv-utils notify backup-semantic-check
register: backup_semantic_check_notification_result
failed_when: false
- name: Fail if some application won't allow backup to proceed because semantic check failed.
fail:
msg: >
Semantic check failed for backup action from application
{{ backup_semantic_check_notification_result.stderr }}.
when: backup_semantic_check_notification_result.rc == 1
- name: Fail if there is some other/internal error when sending lifecycle hook.
fail:
msg: "Failed to run backup-semantic-check action."
when: backup_semantic_check_notification_result.rc == 2
- name: Send application lifecycle notifications for pre-backup action
script: /usr/bin/sysinv-utils notify pre-backup-action
register: pre_backup_notification_result
failed_when: false
- name: Fail if some application cannot handle the pre-backup action
fail:
msg: >
Pre-backup action for application
{{ pre_backup_notification_result.stderr }}.
when: pre_backup_notification_result.rc != 0
- name: Generate backup_in_progress alarm
script: fm_alarm.py "--set" "--backup"
register: alarm_result
@ -40,7 +69,7 @@
args:
warn: false
- name: Backup postgres, template1, sysinv, barbican db data
- name: Backup postgres, template1, sysinv, barbican, helmv2 db data
shell: >-
sudo -u postgres pg_dump --format=plain --inserts --disable-triggers --data-only
{{ item }} > {{ postgres_dir.path }}/{{ item }}.postgreSql.data
@ -51,6 +80,7 @@
- template1
- sysinv
- barbican
- helmv2
- name: Backup fm db data
shell: >-
@ -192,7 +222,6 @@
- "{{ patching_permdir }}"
- "{{ patching_repo_permdir }}"
- "{{ extension_permdir }}"
- "{{ dc_vault_permdir }}"
- "{{ deploy_permdir }}"
- "{{ postgres_dir.path }}"
- "{{ armada_permdir }}"
@ -210,6 +239,18 @@
loop_control:
label: "{{ item.item }}"
# For SystemController the dc-vault is part of platform but restored after controller-0 unlock
# Create a separate archive for it
- block:
- name: Check the size (in KiB) of directories that will be backed up for dc-vault
shell: "du -sh -k {{ dc_vault_permdir }} | awk '{print $1}'"
register: size_output_dc_vault
- name: Estimate the total required disk size for platform backup archive
set_fact:
total_platform_size_estimation: "{{ total_platform_size_estimation|int + size_output_dc_vault.stdout|int }}"
when: check_dc_controller.rc == 0
- name: Check the free space in the archive dir
shell: "df -k {{ backup_dir }} --output=avail | tail -1"
register: df_output
@ -291,6 +332,18 @@
when: ceph_backend.stat.exists
- name: Send application lifecycle notifications for pre-etcd-backup action
script: /usr/bin/sysinv-utils notify pre-etcd-backup-action
register: pre_etcd_backup_notification_result
failed_when: false
- name: Fail if some application cannot handle the pre-etcd-backup action
fail:
msg: >
Pre-etcd-backup action failed for application
{{ pre_etcd_backup_notification_result.stderr }}.
when: pre_etcd_backup_notification_result.rc != 0
- name: Create etcd snapshot temp dir
file:
path: "{{ tempdir.path }}/etcd-snapshot"
@ -301,11 +354,32 @@
set_fact:
etcd_snapshot_file: "{{ etcd_snapshot_dir.path }}/etcd-snapshot.db"
- name: Get etcd endpoints
shell: |
source /etc/platform/openrc
system addrpool-list | awk '/cluster-host-subnet/{print$14}'
register: etcd_endpoint
- name: Wrap etcd_endpoint in [] brackets if it's an ipv6 address
set_fact:
etcd_endpoint_parsed: "{{ etcd_endpoint.stdout | ipwrap }}"
- name: Create etcd snapshot
command: "etcdctl snapshot save {{ etcd_snapshot_file }}"
command: "etcdctl --endpoints https://{{ etcd_endpoint_parsed }}:2379 --cert=/etc/etcd/etcd-client.crt
--key=/etc/etcd/etcd-client.key --cacert=/etc/etcd/ca.crt snapshot save {{ etcd_snapshot_file }}"
environment:
ETCDCTL_API: 3
- name: Notify applications that etcd-backup succeeded
script: /usr/bin/sysinv-utils notify post-etcd-backup-action success
register: post_etcd_backup_notification_result
failed_when: false
- name: Fail if there is some other/internal error when sending lifecycle hook.
fail:
msg: "Failed to run post-etcd-backup action [{{ post_etcd_backup_notification_result.rc }}]"
when: post_etcd_backup_notification_result.rc != 0
- name: Create temp dir for override backup file
file:
path: "{{ tempdir.path }}/override"
@ -339,19 +413,32 @@
platform_backup_file: "{{ platform_backup_filename_prefix }}_{{ backup_timestamp }}.tgz"
docker_local_registry_backup_file: "{{ docker_local_registry_backup_filename_prefix }}_{{ backup_timestamp }}.tgz"
openstack_backup_file: "{{ openstack_backup_filename_prefix }}_{{ backup_timestamp }}.tgz"
dc_vault_backup_file: "{{ dc_vault_backup_filename_prefix }}_{{ backup_timestamp }}.tgz"
- name: Set backup files absolute path
set_fact:
platform_backup_file_path: "{{ backup_dir }}/{{ platform_backup_file }}"
docker_local_registry_backup_file_path: "{{ backup_dir }}/{{ docker_local_registry_backup_file }}"
openstack_backup_file_path: "{{ backup_dir }}/{{ openstack_backup_file }}"
dc_vault_backup_file_path: "{{ backup_dir }}/{{ dc_vault_backup_file }}"
- name: Save user uploaded images from local registry to an archive
import_tasks: export-user-local-registry-images.yml
vars:
export_file_path: "{{ docker_local_registry_backup_file_path }}"
kilo_free_size: "{{ remaining_disk_size_estimation }}"
when: backup_user_local_registry is defined and backup_user_local_registry
when: backup_user_local_registry is defined and backup_user_local_registry|bool == true
- name: Notify applications that backup succeeded
script: /usr/bin/sysinv-utils notify post-backup-action success
register: post_backup_notification_result
failed_when: false
- name: Fail if there is some other/internal error when sending lifecycle hook.
fail:
msg: "Failed to run post-backup action [{{ post_backup_notification_result.rc }}]"
when: post_backup_notification_result.rc != 0
# Archive module has a known bug that doesn't handle empty symbolic links
# well. Restore to tar command. Can add -P option to keep the leading
@ -370,7 +457,6 @@
{{ patching_permdir }} \
{{ patching_repo_permdir }} \
{{ extension_permdir }} \
{{ dc_vault_permdir }} \
{{ deploy_permdir }} \
{{ crushmap_file | default(\"\") }} \
{{ etcd_snapshot_file }} \
@ -382,6 +468,13 @@
args:
warn: false
- name: Create a tgz archive for dc-vault backup
shell: "tar -czf {{ dc_vault_backup_file_path }} $(ls -d \
{{ dc_vault_permdir }} 2>/dev/null)"
args:
warn: false
when: check_dc_controller.rc == 0
- name: Create a tgz archive for OpenStack backup
shell: "tar -czf {{ openstack_backup_file_path }} $(ls -d \
{{ armada_permdir }}/stx-openstack \
@ -427,7 +520,7 @@
file:
path: "{{ tempdir.path }}"
state: absent
when: tempdir is defined
when: tempdir is defined and tempdir.path is defined
- name: Remove the backup in progress flag file
file:
@ -443,3 +536,7 @@
fail:
msg: "Failed to clear backup-in-progress alarm."
when: alarm_result.rc != 0
rescue:
- name: Notify applications that backup failed.
script: /usr/bin/sysinv-utils notify post-backup-action failure

4
playbookconfig/src/playbooks/roles/bootstrap/apply-bootstrap-manifest/defaults/main.yml
View File

@ -1,4 +0,0 @@
---
hieradata_workdir: /tmp/hieradata
manifest_apply_log: /tmp/apply_manifest.log
loopback_ifname: lo

126
playbookconfig/src/playbooks/roles/bootstrap/apply-bootstrap-manifest/tasks/main.yml
View File

@ -1,126 +0,0 @@
---
#
# Copyright (c) 2019 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# ROLE DESCRIPTION:
# This role is to create static configuration and apply the puppet bootstrap
# manifest.
- name: Create config workdir
file:
path: "{{ hieradata_workdir }}"
state: directory
owner: root
group: root
mode: 0755
- block:
- name: Generating static config data
command: "/usr/bin/sysinv-puppet create-static-config {{ hieradata_workdir }}"
failed_when: false
register: static_config_result
- name: Fail if static hieradata cannot be generated
fail:
msg: "Failed to create puppet hiera static config."
when: static_config_result.rc != 0
- name: Write required system controller keystone user and project Ids to static hieradata if it's subcloud
lineinfile:
path: "{{ hieradata_workdir }}/static.yaml"
line: "{{ item }}"
with_items:
- "keystone::dc_admin_user_id: {{ system_controller_keystone_admin_user_id }}"
- "keystone::dc_admin_project_id: {{ system_controller_keystone_admin_project_id }}"
- "openstack::keystone::bootstrap::dc_services_project_id: {{ system_controller_keystone_services_project_id }}"
- "platform::sysinv::bootstrap::dc_sysinv_user_id: {{ system_controller_keystone_sysinv_user_id }}"
- "platform::dcmanager::bootstrap::dc_dcmanager_user_id: {{system_controller_keystone_dcmanager_user_id}}"
when: distributed_cloud_role == 'subcloud'
when: mode == 'bootstrap'
- block:
- name: Set ssh_config tmp dir fact
set_fact:
temp_ssh_config_dir: /tmp/config/ssh_config
- name: Prefetch static hieradata
command: >-
tar -C {{ hieradata_workdir }} -xpf {{ restore_data_file }} --transform='s,.*/,,'
'{{ archive_puppet_permdir }}/*static.yaml'
args:
warn: false
- name: Migrate static hieradata to new version
command: >
sed -i 's/{{ upgrade_metadata.from_release }}/{{ upgrade_metadata.to_release }}/g'
{{ hieradata_workdir }}/static.yaml
args:
warn: false
when: migrate_platform_data is defined and migrate_platform_data
- name: Look for ssh_config dir in the backup tarball
shell: "tar -tf {{ restore_data_file }} | grep 'opt/platform/config/.*/ssh_config'"
args:
warn: false
failed_when: false
register: search_ssh_config
- block:
- name: Create temp ssh_config dir
file:
path: "{{ temp_ssh_config_dir }}"
state: directory
owner: root
group: root
mode: 0755
- name: Prefetch ssh_config
command: >-
tar -C {{ temp_ssh_config_dir }} -xpf {{ restore_data_file }} --transform='s,.*/,,'
{{ archive_ssh_config_permdir }}
args:
warn: false
- name: Remove the unwanted directory
file:
path: "{{ temp_ssh_config_dir }}/ssh_config"
state: absent
when: search_ssh_config.rc == 0
when: mode == 'restore'
- name: Applying puppet bootstrap manifest
command: >
/usr/local/bin/puppet-manifest-apply.sh
{{ hieradata_workdir }}
{{ derived_network_params.controller_0_address }}
controller ansible_bootstrap > {{ manifest_apply_log }}
register: bootstrap_manifest
environment:
INITIAL_CONFIG_PRIMARY: "true"
LC_ALL: "en_US.UTF-8"
failed_when: false
- name: Fail if puppet manifest apply script returns an error
fail:
msg: >-
Failed to apply bootstrap manifest. Please re-install host {{ansible_host}}
before attempting to bootstrap it again. See /var/log/puppet/latest/puppet.log
for details.
when: bootstrap_manifest.rc != 0
- name: Ensure Puppet directory exists
file:
path: "{{ puppet_permdir }}"
state: directory
recurse: yes
owner: root
group: root
mode: 0755
- name: Persist puppet working files
command: "mv {{ hieradata_workdir }} {{ puppet_permdir }}"

8
playbookconfig/src/playbooks/roles/bootstrap/apply-manifest/defaults/main.yml Normal file
View File

@ -0,0 +1,8 @@
---
hieradata_workdir: /tmp/hieradata
manifest_apply_log: /tmp/apply_manifest.log
loopback_ifname: lo
# The default disk size thresholds must align with the ones in
# config/.../sysinv/common/constants.py
small_root_disk_size: 240
minimum_small_root_disk_size: 196

321
playbookconfig/src/playbooks/roles/bootstrap/apply-manifest/tasks/apply_bootstrap_manifest.yml Normal file
View File

@ -0,0 +1,321 @@
---
#
# Copyright (c) 2019 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# SUB-TASK DESCRIPTION:
# These tasks create static configuration and apply the puppet bootstrap
# manifest.
- name: Create config workdir
file:
path: "{{ hieradata_workdir }}"
state: directory
owner: root
group: root
mode: 0755
- block:
- name: Generating static config data
command: "/usr/bin/sysinv-puppet create-static-config {{ hieradata_workdir }}"
failed_when: false
register: static_config_result
- name: Fail if static hieradata cannot be generated
fail:
msg: "Failed to create puppet hiera static config."
when: static_config_result.rc != 0
- name: Write required system controller keystone user and project Ids to static hieradata if it's subcloud
lineinfile:
path: "{{ hieradata_workdir }}/static.yaml"
line: "{{ item }}"
with_items:
- "keystone::dc_admin_user_id: {{ system_controller_keystone_admin_user_id }}"
- "keystone::dc_admin_project_id: {{ system_controller_keystone_admin_project_id }}"
- "openstack::keystone::bootstrap::dc_services_project_id: {{ system_controller_keystone_services_project_id }}"
- "platform::sysinv::bootstrap::dc_sysinv_user_id: {{ system_controller_keystone_sysinv_user_id }}"
- "platform::dcmanager::bootstrap::dc_dcmanager_user_id: {{system_controller_keystone_dcmanager_user_id}}"
when: distributed_cloud_role == 'subcloud'
- name: Create cert for etcd server and client
import_role:
name: common/create-etcd-certs
when: mode == 'bootstrap'
- block:
- name: Set ssh_config tmp dir fact
set_fact:
temp_ssh_config_dir: /tmp/config/ssh_config
- name: Prefetch static and system hieradata
command: >-
tar -C {{ hieradata_workdir }} -xpf {{ restore_data_file }} --transform='s,.*/,,'
'{{ archive_puppet_permdir }}/*static.yaml'
'{{ archive_puppet_permdir }}/system.yaml'
args:
warn: false
- name: Migrate static hieradata to new version
command: >
sed -i 's/{{ upgrade_metadata.from_release }}/{{ upgrade_metadata.to_release }}/g'
{{ hieradata_workdir }}/static.yaml
args:
warn: false
when: migrate_platform_data is defined and migrate_platform_data
# The helmv2 database is new in the release stx5.0. The AIO-SX
# upgrade from stx4.0 to stx5.0 requires a password to be generated
# and written into hieradata to access the DB. This can be removed
# in the release that follows stx5.0
- block:
- name: Generate helmv2 database password and store in keyring
vars:
script_content: |
import keyring
import os
from sysinv.common import utils
helmv2_db_pw = keyring.get_password("helmv2", "database")
if helmv2_db_pw:
print helmv2_db_pw
exit()
os.environ['XDG_DATA_HOME'] = '/tmp'
try:
helmv2_db_pw = utils.generate_random_password(length=16)
keyring.set_password("helmv2", "database", helmv2_db_pw)
print helmv2_db_pw
except Exception as e:
raise Exception("Failed to generate password for helmv2:%s" % e)
finally:
del os.environ['XDG_DATA_HOME']
shell: "{{ script_content }}"
args:
executable: /usr/bin/python
register: helmv2_db_pw_output
no_log: true
- name: Write helmv2 database username to hieradata
lineinfile:
path: "{{ hieradata_workdir }}/static.yaml"
line: "platform::helm::v2::db::postgresql::user: admin-helmv2"
- name: Write helmv2 database password to hieradata
lineinfile:
path: "{{ hieradata_workdir }}/secure_static.yaml"
line: "platform::helm::v2::db::postgresql::password: {{ helmv2_db_pw_output.stdout }}"
when: (migrate_platform_data is defined and
migrate_platform_data and
upgrade_metadata.from_release == "20.06")
- name: Restore etcd certificates.
shell: tar -C / --overwrite -xpf {{ restore_data_file }} {{ item }}
args:
warn: false
with_items:
- "{{ '/etc/etcd' | regex_replace('^\\/', '') }}"
become_user: root
- name: Check if etcd certs are exist.
find:
paths: "/etc/etcd"
patterns:
- '*.crt'
- '*.key'
register: etcd_certs_find_output
# This is for simplex upgrade from STX 4.0 to 5.0
- block:
- name: set kubeadm_pki_dir
set_fact:
kubeadm_pki_dir: /etc/kubernetes/pki
- name: Create pki directory for kubernetes certificates
file:
path: "{{ kubeadm_pki_dir }}"
state: directory
mode: 0700
- name: Restore CA
shell: tar -C / --overwrite -xpf {{ restore_data_file }} {{ item }}
args:
warn: false
with_items:
- "{{ kubeadm_pki_dir | regex_replace('^\\/', '') }}"
become_user: root
- name: Create certs for etcd server and client for simplex upgrade
import_role:
name: common/create-etcd-certs
when: etcd_certs_find_output.matched == 0
- name: Check if apiserver-keys are present in the backup tarball
shell: "tar -tf {{ restore_data_file }} | grep 'etc/kubernetes/pki/apiserver-etcd-client.*'"
args:
warn: false
failed_when: false
register: apiserver_etcd_certs_find_output
- name: Extract apiserver-keys from /etc/kubernetes/pki
shell: tar -C /etc/etcd/ --overwrite -xpf {{ restore_data_file }} {{ item }} --strip-components 3
args:
warn: false
with_items:
- "{{ kubeadm_pki_dir | regex_replace('^\\/', '') }}/apiserver-etcd-client.crt"
- "{{ kubeadm_pki_dir | regex_replace('^\\/', '') }}/apiserver-etcd-client.key"
become_user: root
when: apiserver_etcd_certs_find_output.rc == 0
- name: Look for ssh_config dir in the backup tarball
shell: "tar -tf {{ restore_data_file }} | grep 'opt/platform/config/.*/ssh_config'"
args:
warn: false
failed_when: false
register: search_ssh_config
- block:
- name: Create temp ssh_config dir
file:
path: "{{ temp_ssh_config_dir }}"
state: directory
owner: root
group: root
mode: 0755
- name: Prefetch ssh_config
command: >-
tar -C {{ temp_ssh_config_dir }} -xpf {{ restore_data_file }} --transform='s,.*/,,'
{{ archive_ssh_config_permdir }}
args:
warn: false
- name: Remove the unwanted directory
file:
path: "{{ temp_ssh_config_dir }}/ssh_config"
state: absent
when: search_ssh_config.rc == 0
when: mode == 'restore'
- name: Set the ip version of etcd listen address to its default value
set_fact:
etcd_listen_address_version: 4
- name: Update the ip version of etcd listen address to ipv6
set_fact:
etcd_listen_address_version: 6
when: ipv6_addressing != False
# Add etcd security info to static hieradata so that etcd is configured with security
# when etc puppet manifest is applied before Kubernetes master is initialized in the later role.
- name: Write security settings to static hieradata
lineinfile:
path: "{{ hieradata_workdir }}/static.yaml"
line: "{{ item }}"
with_items:
- "platform::etcd::params::security_enabled: true"
- "platform::etcd::params::bind_address: {{ cluster_floating_address }}"
- "platform::etcd::params::bind_address_version: {{ etcd_listen_address_version }}"
- name: Create runtime hieradata
file:
path: "{{ hieradata_workdir }}/runtime.yaml"
state: touch
owner: root
group: root
mode: 0600
- block:
- name: Specify filesystem sizes
set_fact:
pgsql_size: 10
platform_size: 10
etcd_size: 5
dockerdistribution_size: 16
backup_size: 20
docker_size: 30
kubelet_size: 10
scratch_size: 16
when: root_disk_size|int >= minimum_small_root_disk_size
- name: Expand filesystem sizes
set_fact:
pgsql_size: 20
backup_size: 25
when: root_disk_size|int > small_root_disk_size
- name: Write filesystem settings to runtime hieradata
lineinfile:
path: "{{ hieradata_workdir }}/runtime.yaml"
line: "{{ item }}"
with_items:
- "platform::filesystem::backup::params::lv_size: {{ backup_size }}"
- "platform::filesystem::docker::params::bootstrap::lv_size: {{ docker_size }}"
- "platform::filesystem::kubelet::params::lv_size: {{ kubelet_size }}"
- "platform::filesystem::scratch::params::lv_size: {{ scratch_size }}"
- "platform::drbd::dockerdistribution::params::lv_size: {{ dockerdistribution_size }}"
- "platform::drbd::etcd::params::lv_size: {{ etcd_size }}"
- "platform::drbd::pgsql::params::lv_size: {{ pgsql_size }}"
- "platform::drbd::platform::params::lv_size: {{ platform_size }}"
when: root_disk_size|int >= minimum_small_root_disk_size
when: mode == 'bootstrap'
- block:
- name: Read drbd settings from system hieradata
command: "grep 'platform::drbd::.*::params::lv_size.*' {{ hieradata_workdir }}/system.yaml"
register: system_file
- name: Write filesystem settings to runtime hieradata
lineinfile:
path: "{{ hieradata_workdir }}/runtime.yaml"
line: "{{ item }}"
with_items: "{{system_file.stdout_lines}}"
- name: Remove system hieradata
file:
path: "{{ hieradata_workdir }}/system.yaml"
state: absent
when: mode == 'restore'
- name: Applying puppet bootstrap manifest
command: >
/usr/local/bin/puppet-manifest-apply.sh
{{ hieradata_workdir }}
{{ derived_network_params.controller_0_address }}
controller ansible_bootstrap
{{ hieradata_workdir }}/runtime.yaml > {{ manifest_apply_log }}
register: bootstrap_manifest
environment:
INITIAL_CONFIG_PRIMARY: "true"
LC_ALL: "en_US.UTF-8"
failed_when: false
- name: Fail if puppet manifest apply script returns an error
fail:
msg: >-
Failed to apply bootstrap manifest. Please re-install host {{ansible_host}}
before attempting to bootstrap it again. See /var/log/puppet/latest/puppet.log
for details.
when: bootstrap_manifest.rc != 0
- name: Remove runtime hieradata
file:
path: "{{ hieradata_workdir }}/runtime.yaml"
state: absent
- name: Ensure Puppet directory exists
file:
path: "{{ puppet_permdir }}"
state: directory
recurse: yes
owner: root
group: root
mode: 0755
- name: Persist puppet working files
command: "mv {{ hieradata_workdir }} {{ puppet_permdir }}"

56
playbookconfig/src/playbooks/roles/bootstrap/apply-manifest/tasks/apply_etcd_manifest.yml Normal file
View File

@ -0,0 +1,56 @@
---
#
# Copyright (c) 2021 Intel, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# SUB-TASK DESCRIPTION:
# These tasks reconfigure etcd when bootstrap is replayed with networking change(s).
- name: Copy back puppet working files
command: "cp -r {{ puppet_permdir }}/hieradata /tmp/"
- name: Create cert for etcd server and client
import_role:
name: common/create-etcd-certs
- name: Reconfigure cluster float address in static.yaml
lineinfile:
path: "{{ hieradata_workdir }}/static.yaml"
regexp: "^platform::etcd::params::bind_address:"
line: "platform::etcd::params::bind_address: {{ cluster_floating_address }}"
- name: Create list of etcd classes to pass to puppet
copy:
dest: "/tmp/etcd.yml"
content: |
classes:
- platform::etcd::init
- name: Set facts derived from previous network configurations
set_fact:
prev_controller_floating_address:
"{{ (prev_management_subnet | ipaddr(1)).split('/')[0]
if prev_management_start_address == 'derived' else prev_management_start_address }}"
- name: Get previous controller_0 address
set_fact:
prev_controller_0_address: "{{ prev_controller_floating_address|ipmath(1) }}"
- name: Applying puppet for enabling etcd security
command: >
/usr/local/bin/puppet-manifest-apply.sh
{{ hieradata_workdir }}
{{ prev_controller_0_address }}
controller runtime /tmp/etcd.yml
register: etcd_manifest
environment:
LC_ALL: "en_US.UTF-8"
- name: Fail if etcd manifest apply script returns an error
fail:
msg: "Failed to apply etcd manifest!"
when: etcd_manifest.rc != 0
- name: Copy static files
command: "cp -r {{ hieradata_workdir }} {{ puppet_permdir }}"

16
playbookconfig/src/playbooks/roles/bootstrap/apply-manifest/tasks/main.yml Normal file
View File

@ -0,0 +1,16 @@
---
#
# Copyright (c) 2021 Intel, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# ROLE DESCRIPTION:
# This role is to apply the puppet manifest.
- name: Apply bootstrap manifest (only in the initial play)
include_tasks: apply_bootstrap_manifest.yml
when: not replayed
- name: Apply manifest to reconfigure etcd
include_tasks: apply_etcd_manifest.yml
when: replayed and network_config_update

28
playbookconfig/src/playbooks/roles/bootstrap/bringup-bootstrap-applications/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
#
# Copyright (c) 2020 Wind River Systems, Inc.
# Copyright (c) 2020-21 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
@ -32,6 +32,27 @@
import_tasks: test_cert_manager_creation.yml
when: mode != 'restore'
# Create a generic namespace to be shared by deployed platform resources as needed
# and copy default-registry-key
- name: Create 'deployment' namespace
shell: kubectl --kubeconfig=/etc/kubernetes/admin.conf create namespace deployment --dry-run -o yaml |
kubectl --kubeconfig=/etc/kubernetes/admin.conf apply -f -
- name: Get deployment namespace default registry key
command: >-
kubectl --kubeconfig=/etc/kubernetes/admin.conf get secret default-registry-key --namespace=deployment
failed_when: false
register: get_deployment_default_registry_key
- name: Copy default-registry-key to deployment namespace
shell: >-
kubectl get secret default-registry-key --namespace=kube-system -o yaml
| sed 's/namespace: kube-system/namespace: deployment/'
| kubectl apply --namespace=deployment -f -
environment:
KUBECONFIG: "/etc/kubernetes/admin.conf"
when: get_deployment_default_registry_key.stdout == ""
# Create DC CA and set up subcloud admin endpoint certificates for bootstrap mode.
- block:
- name: Create distributed cloud CA
@ -39,7 +60,10 @@
when: distributed_cloud_role == 'systemcontroller'
- name: Set up subcloud admin endpoints certificates if host is a subcloud
include_tasks: setup_sc_adminep_certs.yml
include_role:
name: common/setup-subcloud-adminep-certs
vars:
ansible_become: yes
when: distributed_cloud_role == 'subcloud'
when: mode == 'bootstrap'

57
playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/files/psp-policies.yaml
View File

@ -98,3 +98,60 @@ subjects:
- kind: Group
name: system:serviceaccounts:kube-system
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubelet-kube-system-privileged-psp-user
namespace: kube-system
annotations:
kubernetes.io/description: 'Allow nodes to create privileged pods. Should
be used in combination with the NodeRestriction admission plugin to limit
nodes to mirror pods bound to themselves.'
labels:
addonmanager.kubernetes.io/mode: Reconcile
kubernetes.io/cluster-service: 'true'
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: privileged-psp-user
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: system:nodes
- kind: User
apiGroup: rbac.authorization.k8s.io
# Legacy node ID
name: kubelet
---
# ClusterRoleBinding of system:serviceaccounts:kubesystem to
# restricted-psp-user Role. Applies to all namespaces.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kube-system-SAs-restricted-psp-users
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: restricted-psp-user
subjects:
- kind: Group
name: system:serviceaccounts:kube-system
apiGroup: rbac.authorization.k8s.io
---
# ClusterRoleBinding of system:authenticated (all
# authenticated users) to restricted-psp-user Role.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: authenticated-users-restricted-psp-users
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: restricted-psp-user
subjects:
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.io

107
playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/tasks/bringup_helm.yml
View File

@ -163,107 +163,6 @@
name: lighttpd
state: restarted
- block:
# NOTE: helm --debug option displays vital information, no harm enabling.
# These only show in ansible.log on failure.
- name: Add Helm repos
command: /sbin/helm repo add "{{ item }}" "http://127.0.0.1:{{ helm_repo_port }}/helm_charts/{{ item }}" --debug
with_items:
- "{{ helm_repo_name_apps }}"
- "{{ helm_repo_name_platform }}"
# NOTE: helm --debug option displays vital information, no harm enabling.
# These only show in ansible.log on failure.
- name: Update Helm repos
command: /sbin/helm repo update --debug
become_user: sysadmin
environment:
KUBECONFIG: /etc/kubernetes/admin.conf
HOME: /home/sysadmin
- block:
- name: Set Armada overrides
set_fact:
helm_charts_url: "http://{{ controller_floating_address | ipwrap }}:{{ helm_repo_port }}/helm_charts"
armada_default_password: "{{ lookup('password', '/dev/null chars=ascii_letters length=16') | b64encode }}"
armada_password: "{{ lookup('password', '/dev/null chars=ascii_letters length=16') | b64encode }}"
- name: Create keystone credentials for armada domain (local host client only)
shell: "source /etc/platform/openrc; \
openstack domain create {{ armada_domain }}; \
openstack project create --domain {{ armada_domain }} 'service'; \
openstack user create --domain {{ armada_domain }} \
--project service --project-domain {{ armada_domain }} \
--password {{ armada_password }} {{ armada_user }}; \
openstack role add --project-domain {{ armada_domain }} \
--user-domain {{ armada_domain }} --user {{ armada_user }} \
--project service admin"
args:
executable: /bin/bash
no_log: true
- name: Create Armada overrides
template:
src: "armada-overrides.yaml.j2"
dest: "/tmp/armada-overrides.yaml"
- name: Create namespace for Armada
command: >
kubectl create namespace {{ armada_namespace }}
failed_when: false
register: create_ns_output
- name: Fail if creating namespace fails
fail:
msg: "Failed to create {{ armada_namespace }} namespace. Error: {{ create_ns_output.stderr }}"
when: create_ns_output.rc is defined and create_ns_output.rc !=0 and
create_ns_output.stderr is not search('AlreadyExists')
- name: Check if secret exists
command: kubectl -n {{ armada_namespace }} get secret {{ armada_secret_name }}
failed_when: false
register: armada_get_secret_response
# Set no_log to true so that we don't expose the local registry credentials
- name: Create secret if it doesn't exist
command: >-
kubectl -n {{ armada_namespace }} create secret docker-registry {{ armada_secret_name }}
--docker-server={{ local_registry }}
--docker-username={{ local_registry_credentials['username'] }}
--docker-password={{ local_registry_credentials['password'] }}
when: armada_get_secret_response.rc != 0
no_log: true
# Workaround for helm v3 issue with null overrides.
# Configure sane node label values that work with armada node selector
- name: Create Armada node label
command: >
kubectl label node controller-0 armada=enabled --overwrite=true
# To prevent helm-upload requiring sudo and a tty for password,
# become the intended www user.
- name: Upload Armada charts
become_user: www
command: >
/usr/local/sbin/helm-upload stx-platform /opt/extracharts/armada-0.1.0.tgz
# NOTE: helm --debug option displays vital information, no harm enabling.
# These only show in ansible.log on failure.
- name: Update info of available charts from chart repos
command: >
/sbin/helm repo update --debug
# NOTE: helm --debug option displays vital information, no harm enabling.
# These only show in ansible.log on failure.
- name: Launch Armada with Helm v3
command: >-
/sbin/helm upgrade --install armada stx-platform/armada
--namespace {{ armada_namespace }}
--values /tmp/armada-overrides.yaml
--debug
become_user: sysadmin
environment:
KUBECONFIG: /etc/kubernetes/admin.conf
HOME: /home/sysadmin
- name: Launch containerized Armada using Helm v3
import_role:
name: common/armada-helm

42
playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/tasks/bringup_kubemaster.yml
View File

@ -20,7 +20,6 @@
# - Prepare and apply coredns config
# - Restrict coredns to master node and set anti-affnity (duplex system)
# - Restrict coredns to 1 pod (simplex system)
# - Remove taint from master node
# - Add kubelet service override
# - Register kubelet with pmond
# - Reload systemd
@ -58,20 +57,42 @@
k8s_pki_files: { ca.crt: "{{k8s_root_ca_cert}}", ca.key: "{{k8s_root_ca_key}}" }
when: (k8s_root_ca_cert)
- block:
- name: Create pki directory for kubernetes certificates
file:
path: "{{ kubeadm_pki_dir }}"
state: directory
mode: 0700
- name: Create pki directory for kubernetes certificates
file:
path: "{{ kubeadm_pki_dir }}"
state: directory
mode: 0700
- block:
- name: Copy kubernetes certificates
copy:
src: "{{ item.value }}"
dest: "{{ kubeadm_pki_dir }}/{{item.key}}"
with_dict: "{{ k8s_pki_files }}"
when: k8s_pki_files is defined and mode == 'bootstrap'
- name: Copy apiserver-etcd-client cert and key
copy:
src: "/etc/etcd/{{ item }}"
dest: "{{ kubeadm_pki_dir }}/{{ item }}"
remote_src: yes
force: yes
with_items:
- "apiserver-etcd-client.crt"
- "apiserver-etcd-client.key"
when: k8s_pki_files is defined
- name: Copy ca, cert and key generated by etcd to kubeadm_pki_dir
copy:
src: "/etc/etcd/{{ item }}"
dest: "{{ kubeadm_pki_dir }}/{{ item }}"
remote_src: yes
force: yes
with_items:
- "ca.crt"
- "ca.key"
- "apiserver-etcd-client.crt"
- "apiserver-etcd-client.key"
when: k8s_pki_files is undefined
- name: Set kubelet node configuration
set_fact:
@ -126,7 +147,7 @@
environment:
APISERVER_ADVERTISE_ADDRESS: "{{ controller_0_cluster_host }}"
CONTROLPLANE_ENDPOINT: "{{ cluster_floating_address }}"
ETCD_ENDPOINT: "http://{{ cluster_floating_address | ipwrap }}:2379"
ETCD_ENDPOINT: "https://{{ cluster_floating_address | ipwrap }}:2379"
POD_NETWORK_CIDR: "{{ cluster_pod_subnet }}"
SERVICE_NETWORK_CIDR: "{{ cluster_service_subnet }}"
VOLUME_PLUGIN_DIR: "{{ kubelet_vol_plugin_dir }}"
@ -311,9 +332,6 @@
when: mode == 'bootstrap'
- name: Remove taint from master node
shell: "kubectl --kubeconfig=/etc/kubernetes/admin.conf taint node controller-0 node-role.kubernetes.io/master- || true"
- block:
- name: Applying kubernetes plugins
include_role:

95
playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/tasks/bringup_local_registry.yml
View File

@ -54,11 +54,35 @@
state: directory
mode: 0700
- name: Determine the stream_server_address for containerd
set_fact:
stream_server_address: "{{ '127.0.0.1' if ipv6_addressing == False else '::1' }}"
- name: Get guest local registry credentials
vars:
script_content: |
import keyring
password = keyring.get_password("mtce", "services")
if not password:
raise Exception("Local registry password not found.")
print dict(username='mtce', password=str(password))
shell: "{{ script_content }}"
args:
executable: /usr/bin/python
register: guest_local_registry_credentials_output
- set_fact:
guest_local_registry_credentials: "{{ guest_local_registry_credentials_output.stdout }}"
- name: Determine the registry_auth for containerd
set_fact:
registry_auth: "{{ (guest_local_registry_credentials['username'] + ':'
+ guest_local_registry_credentials['password']) | b64encode }}"
- name: Create config.toml file for containerd configuration
copy:
src: "{{ containerd_template }}"
template:
src: "config.toml.j2"
dest: /etc/containerd/config.toml
remote_src: yes
mode: 0600
- name: Remove puppet template for insecure registries
@ -81,13 +105,6 @@
when: (insecure_registries is defined and
insecure_registries | length > 0)
- name: Update config.toml with cni bin dir
command: "sed -i -e 's|<%= @k8s_cni_bin_dir %>|$CNI_BIN_DIR|g' /etc/containerd/config.toml"
args:
warn: false
environment:
CNI_BIN_DIR: "{{ kubelet_cni_bin_dir }}"
- name: Get local registry credentials
vars:
script_content: |
@ -104,63 +121,6 @@
- set_fact:
local_registry_credentials: "{{ local_registry_credentials_output.stdout }}"
- name: Get guest local registry credentials
vars:
script_content: |
import keyring
password = keyring.get_password("mtce", "services")
if not password:
raise Exception("Local registry password not found.")
print dict(username='mtce', password=str(password))
shell: "{{ script_content }}"
args:
executable: /usr/bin/python
register: guest_local_registry_credentials_output
- set_fact:
guest_local_registry_credentials: "{{ guest_local_registry_credentials_output.stdout }}"
- name: Update config.toml with registry auth
command: "sed -i -e 's|<%= @registry_auth %>|$REG_AUTH|g' /etc/containerd/config.toml"
args:
warn: false
environment:
REG_AUTH: "{{ (guest_local_registry_credentials['username'] + ':'
+ guest_local_registry_credentials['password']) | b64encode }}"
- name: Determine the stream_server_address for containerd
set_fact:
stream_server_address: "{{ '127.0.0.1' if ipv6_addressing == False else '::1' }}"
- name: Set the stream_server_address in config.toml
command: "sed -i -e 's|<%= @stream_server_address %>|'$STREAM_SERVER_ADDRESS'|g' /etc/containerd/config.toml"
args:
warn: false
environment:
STREAM_SERVER_ADDRESS: "{{ stream_server_address }}"
- name: Remove central cloud registry config on non-subclouds
replace:
path: /etc/containerd/config.toml
after: '# Central cloud registry config for distributed cloud subclouds'
regexp: '^(<%- if @distributed_cloud_role.+)\n(.+)\n(.+)\n(.+end -%>)'
replace: ''
when: distributed_cloud_role != 'subcloud'
- name: Remove erb if tag start for central cloud registry config on subclouds
replace:
path: /etc/containerd/config.toml
regexp: "^(# Central cloud registry.+)\n(.+role == 'subcloud' -%>)"
replace: '# Central cloud registry config for distributed cloud subclouds'
when: distributed_cloud_role == 'subcloud'
- name: Remove erb if tag end for central cloud registry config on subclouds
replace:
path: /etc/containerd/config.toml
regexp: "^(<%- end -%>)\n(.+config for distributed cloud subclouds)"
replace: '# End central cloud registry config for distributed cloud subclouds'
when: distributed_cloud_role == 'subcloud'
- name: Restart containerd
systemd:
name: containerd
@ -297,6 +257,7 @@
src: "{{ registry_cert_crt }}"
dest: "{{ docker_cert_dir }}/registry.local:9001"
remote_src: yes
mode: preserve
- name: Start registry token server
systemd:

59
playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/tasks/main.yml
View File

@ -58,6 +58,31 @@
import_role:
name: common/push-docker-images
- name: Bring up etcd
systemd:
name: etcd
state: started
- name: Check if etcd-client crt was created.
find:
paths: "/etc/etcd"
patterns: "etcd-client.*"
register: etcd_client_find_output
- name: Create etcd client account for root, apiserver and enable etcd auth
command: "etcdctl --cert-file=$ETCD_CERT --key-file=$ETCD_KEY --ca-file=$ETCD_CA
--endpoint=$ETCD_ENDPOINT {{ item }}"
with_items:
- "user add root:sysadmin"
- "user add apiserver-etcd-client:sysadmin"
- "auth enable"
environment:
ETCD_ENDPOINT: "https://{{ cluster_floating_address | ipwrap }}:2379"
ETCD_CERT: "/etc/etcd/etcd-client.crt"
ETCD_KEY: "/etc/etcd/etcd-client.key"
ETCD_CA: "/etc/etcd/ca.crt"
when: etcd_client_find_output.matched != 0
- name: Bring up Kubernetes master
import_tasks: bringup_kubemaster.yml
@ -147,36 +172,23 @@
kubectl --kubeconfig=/etc/kubernetes/admin.conf scale deployment
-n kube-system coredns --replicas={{ coredns_get_replicas.stdout }}
- name: Get the number of Kubernetes nodes to calculate async_retries value
# Use tail to skip the header of kubectl command, then count the line output
shell: kubectl --kubeconfig=/etc/kubernetes/admin.conf get nodes | tail -n +2 | wc -l
register: k8s_node_count
- name: Override async parameters
# async_retries needs to scale with the number of nodes because the async
# kubectl wait tasks can use their full 30 second timeout for each pod they
# are checking. When checking a daemonset like app=multus, this means that
# the wait command could take up to 30s * number of nodes
# When this value is too short, the async task does not complete and the
# play fails on the "Fail if any of the Kubernetes component, Networking
# or Tiller pods are not ready by this time" task.
# The async_retries value results in a total wait time of
# async_retries * delay (from "Get wait task results" task below).
set_fact:
async_timeout: 120
async_retries: "{{ (k8s_node_count.stdout|int * 6)|int }}"
when: k8s_node_count.stdout|int > 1
- name: Wait for {{ pods_wait_time }} seconds to ensure deployments have time to scale back up
- name: Wait for 30 seconds to ensure deployments have time to scale back up
wait_for:
timeout: "{{ pods_wait_time }}"
timeout: 30
when: mode == 'restore'
- name: Start parallel tasks to wait for Kubernetes component and Networking pods to reach ready state
# Only check for pods on the current host to avoid waiting for pods on downed nodes
# This speeds up "Get wait tasks results" on multi-node systems
command: >-
kubectl --kubeconfig=/etc/kubernetes/admin.conf wait --namespace=kube-system
--for=condition=Ready pods --selector {{ item }} --timeout=30s
--for=condition=Ready pods --selector {{ item }} --field-selector spec.nodeName=controller-0
--timeout={{ async_timeout }}s
async: "{{ async_timeout }}"
poll: 0
with_items: "{{ kube_component_list }}"
@ -186,7 +198,7 @@
# Check the deployment status rather than the pod status in case some pods are down on other nodes
command: >-
kubectl --kubeconfig=/etc/kubernetes/admin.conf wait --namespace={{ item.namespace }}
--for=condition=Available deployment {{ item.deployment }} --timeout=30s
--for=condition=Available deployment {{ item.deployment }} --timeout={{ async_timeout }}s
async: "{{ async_timeout }}"
poll: 0
with_items:
@ -204,13 +216,6 @@
# complete (success or failure) within 30 seconds
retries: "{{ async_retries }}"
delay: 6
# At B&R, after the restore phase, this will fail on duplex or standard systems because
# some of the resources that we are waiting for are replicasets and daemonsets
# and some pods will be launched on a different host than controller-0.
# Since only the controller-0 is online at this step, the rest of the pods that
# are on a different host will fail to start, so we only need to check that
# at least 1 pod from every deployment is up and running. If there are none active
# from a particular deployment it will be caught in the next task.
failed_when: false
with_items:
- "{{ wait_for_kube_system_pods.results }}"

4
playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/tasks/setup_default_route.yml
View File

@ -1,6 +1,6 @@
---
#
# copyright (c) 2019 Wind River Systems, Inc.
# Copyright (c) 2019-2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
@ -14,7 +14,7 @@
- name: Check if the default route exists
shell: "{{ ip_command }} route show | grep 'default via {{ external_oam_gateway_address }}'"
ignore_errors: yes
failed_when: false
register: route_check
- block:

117
playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/templates/config.toml.j2 Normal file
View File

@ -0,0 +1,117 @@
root = "/var/lib/docker"
state = "/var/run/containerd"
oom_score = 0
[grpc]
address = "/var/run/containerd/containerd.sock"
uid = 0
gid = 0
max_recv_message_size = 16777216
max_send_message_size = 16777216
[debug]
address = ""
uid = 0
gid = 0
level = ""
[metrics]
address = ""
grpc_histogram = false
[cgroup]
path = ""
[plugins]
[plugins.cgroups]
no_prometheus = false
[plugins.cri]
stream_server_address = "{{ stream_server_address }}"
stream_server_port = "0"
enable_selinux = false
sandbox_image = "registry.local:9001/k8s.gcr.io/pause:3.2"
stats_collect_period = 10
systemd_cgroup = false
enable_tls_streaming = false
max_container_log_line_size = 16384
[plugins.cri.containerd]
snapshotter = "overlayfs"
no_pivot = false
default_runtime_name = "runc"
[plugins.cri.containerd.runtimes]
[plugins.cri.containerd.runtimes.runc]
runtime_type = "io.containerd.runc.v1"
[plugins.cri.containerd.runtimes.runc.options]
NoPivotRoot = false
NoNewKeyring = false
ShimCgroup = ""
IoUid = 0
IoGid = 0
BinaryName = "runc"
Root = ""
CriuPath = ""
SystemdCgroup = false
[plugins.cri.containerd.runtimes.kata]
runtime_type = "io.containerd.kata.v2"
[plugins.cri.containerd.runtimes.katacli]
runtime_type = "io.containerd.runc.v1"
[plugins.cri.containerd.runtimes.katacli.options]
NoPivotRoot = false
NoNewKeyring = false
ShimCgroup = ""
IoUid = 0
IoGid = 0
BinaryName = "/usr/bin/kata-runtime"
Root = ""
CriuPath = ""
SystemdCgroup = false
[plugins.cri.containerd.runtimes.untrusted]
runtime_type = "io.containerd.kata.v2"
runtime_engine = ""
runtime_root = ""
[plugins.cri.cni]
# conf_dir is the directory in which the admin places a CNI conf.
conf_dir = "/etc/cni/net.d"
bin_dir = "{{ kubelet_cni_bin_dir }}"
max_conf_num = 1
conf_template = ""
[plugins.cri.registry]
[plugins.cri.registry.mirrors]
# Begin of insecure registries
<%- @insecure_registries.each do |insecure_registry| -%>
[plugins.cri.registry.mirrors."<%= insecure_registry %>"]
endpoint = ["http://<%= insecure_registry %>"]
<%- end -%>
# End of insecure registries
[plugins.cri.registry.configs."registry.local:9001".tls]
ca_file = "/etc/docker/certs.d/registry.local:9001/registry-cert.crt"
[plugins.cri.registry.configs."registry.local:9001".auth]
auth = "{{ registry_auth }}"
# Central cloud registry config for distributed cloud subclouds
{% if "{{ distributed_cloud_role }}" == 'subcloud' %}
[plugins.cri.registry.configs."registry.central:9001".tls]
ca_file = "/etc/docker/certs.d/registry.central:9001/registry-cert.crt"
{% endif -%}
# End central cloud registry config for distributed cloud subclouds
[plugins.cri.x509_key_pair_streaming]
tls_cert_file = ""
tls_key_file = ""
[plugins.diff-service]
default = ["walking"]
[plugins.linux]
shim = "containerd-shim"
runtime = "runc"
runtime_root = ""
no_shim = false
shim_debug = false
[plugins.opt]
path = "/opt/containerd"
[plugins.restart]
interval = "10s"
[plugins.scheduler]
pause_threshold = 0.02
deletion_threshold = 0
mutation_threshold = 100
schedule_delay = "0s"
startup_delay = "100ms"

4
playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/templates/coredns.yaml.j2
View File

@ -26,7 +26,9 @@ data:
forward . /etc/resolv.conf {
policy sequential
}
cache 30
cache 30 {
denial 9984 5
}
loop
reload
loadbalance

8
playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/templates/k8s-v1.18.1/calico-cni.yaml.j2
View File

@ -730,7 +730,6 @@ spec:
privileged: true
resources:
requests:
cpu: 150m
livenessProbe:
exec:
command:
@ -747,13 +746,6 @@ spec:
- -felix-ready
- -bird-ready
periodSeconds: 10
{% if cluster_network_ipv4 -%}
# Disable reverse path filter for tunl0 interface
lifecycle:
postStart:
exec:
command: ["/bin/sh", "-c", "sysctl -w net.ipv4.conf.tunl0.rp_filter=0"]
{% endif -%}
volumeMounts:
- mountPath: /lib/modules
name: lib-modules

2
playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/templates/k8s-v1.18.1/multus-cni.yaml.j2
View File

@ -208,10 +208,8 @@ spec:
/entrypoint.sh --multus-conf-file=/usr/src/multus-cni/images/05-multus.conf
resources:
requests:
cpu: "50m"
memory: "50Mi"
limits:
cpu: "100m"
memory: "50Mi"
securityContext:
privileged: true

2
playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/templates/k8s-v1.18.1/sriov-cni.yaml.j2
View File

@ -49,10 +49,8 @@ spec:
privileged: true
resources:
requests:
cpu: "50m"
memory: "50Mi"
limits:
cpu: "100m"
memory: "50Mi"
volumeMounts:
- name: cnibin

12
playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/templates/kubelet.conf.j2
View File

@ -1,2 +1,12 @@
# Overrides config file for kubelet
KUBELET_EXTRA_ARGS=--cni-bin-dir={{ kubelet_cni_bin_dir }} --node-ip={{ node_ip }} --volume-plugin-dir={{ kubelet_vol_plugin_dir }}
# Temporary set pod-max-pids until unlock. During the restore procedure,
# between restore_platform playbook and unlock, there is a window in
# which user app pods can misbehave. Chose a value over the 20, which is
# the number of processes used by platform pods. Chose a value over 100,
# to allow room for platform pods. The user apps are in fact
# intended to run after the unlock anyway. During the unlock the correct
# value is used, the one generated by sysinv as hieradata.
KUBELET_EXTRA_ARGS=--cni-bin-dir={{ kubelet_cni_bin_dir }} \
--node-ip={{ node_ip }} \
--volume-plugin-dir={{ kubelet_vol_plugin_dir }} \
--pod-max-pids 500

5
playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/vars/main.yml
View File

@ -30,10 +30,5 @@ kubeadm_pki_dir: /etc/kubernetes/pki
etcd_tmp_dir: /opt/backups/etcd_tmp_dir
psp_file: /usr/share/ansible/stx-ansible/playbooks/roles/bootstrap/bringup-essential-services/files/psp-policies.yaml
armada_domain: armada-domain
armada_user: armada
armada_namespace: armada
armada_secret_name: default-registry-key
# Kubernetes api server encryption provider configuration file
encryption_provider_config: /etc/kubernetes/encryption-provider.yaml

30
playbookconfig/src/playbooks/roles/bootstrap/persist-config/files/populate_initial_config.py
View File

@ -157,8 +157,7 @@ def populate_system_config(client):
dc_role = None
if is_subcloud():
capabilities.update({'shared_services': "['identity', ]",
'region_config': True})
capabilities.update({'region_config': True})
values = {
'system_mode': CONF.get('BOOTSTRAP_CONFIG', 'SYSTEM_MODE'),
@ -732,8 +731,9 @@ def populate_docker_config(client):
# previous run.
parameters = client.sysinv.service_parameter.list()
for parameter in parameters:
if (parameter.name ==
sysinv_constants.SERVICE_PARAM_NAME_KUBERNETES_API_SAN_LIST):
if (parameter.name in [
sysinv_constants.SERVICE_PARAM_NAME_KUBERNETES_API_SAN_LIST,
sysinv_constants.SERVICE_PARAM_NAME_KUBERNETES_POD_MAX_PIDS]):
client.sysinv.service_parameter.delete(parameter.uuid)
apiserver_san_list = CONF.get('BOOTSTRAP_CONFIG', 'APISERVER_SANS')
@ -753,9 +753,27 @@ def populate_docker_config(client):
'parameters': parameters
}
print("Populating/Updating kubernetes config...")
print("Populating/Updating kubernetes san list...")
client.sysinv.service_parameter.create(**values)
print("Kubernetes config completed.")
parameters = {
sysinv_constants.SERVICE_PARAM_NAME_KUBERNETES_POD_MAX_PIDS:
str(sysinv_constants.SERVICE_PARAM_KUBERNETES_POD_MAX_PIDS_DEFAULT)
}
values = {
'service': sysinv_constants.SERVICE_TYPE_KUBERNETES,
'section':
sysinv_constants.SERVICE_PARAM_SECTION_KUBERNETES_CONFIG,
'personality': None,
'resource': None,
'parameters': parameters
}
print("Populating/Updating kubernetes config...")
client.sysinv.service_parameter.create(**values)
print("Kubernetes config completed.")
parameters = client.sysinv.service_parameter.list()

40
playbookconfig/src/playbooks/roles/bootstrap/persist-config/tasks/main.yml
View File

@ -68,6 +68,29 @@
- include: one_time_config_tasks.yml
when: not initial_db_populated
- name: Find etcd certs files
find:
paths: "/etc/etcd"
patterns:
- '*.crt'
- '*.key'
register: etcd_certs_find_output
- name: Copy etcd certificates to etcd certs directory
copy:
src: "/etc/etcd/{{ item }}"
dest: "{{ etcd_certs_dir }}/{{ item }}"
remote_src: yes
force: yes
with_items:
- "etcd-server.crt"
- "etcd-server.key"
- "ca.crt"
- "ca.key"
- "etcd-client.crt"
- "etcd-client.key"
when: etcd_certs_find_output.matched != 0
# Banner customization is not part of one_time_config_task.yml as the user may
# choose to change their banner look and feel and replay.
- name: Check if custom banner exists
@ -395,3 +418,20 @@
when: search_result.rc == 0
when: mode == 'restore'
- name: Create source and target device_images bind directories
file:
path: "{{ item }}"
state: directory
owner: www
group: root
mode: 0755
with_items:
- "{{ source_device_image_bind_dir }}"
- "{{ target_device_image_bind_dir }}"
- name: Bind mount on {{ target_device_image_bind_dir }}
# Due to deficiency of mount module, resort to command for now
command: mount -o bind -t ext4 {{ source_device_image_bind_dir }} {{ target_device_image_bind_dir }}
args:
warn: false

62
playbookconfig/src/playbooks/roles/bootstrap/persist-config/tasks/one_time_config_tasks.yml
View File

@ -38,13 +38,16 @@
- "{{ postgres_config_dir }}"
- "{{ pxe_config_dir }}"
- name: Ensure SSL CA certificates directory exists
- name: Ensure SSL CA and etcd certs directories exist
file:
path: "{{ ssl_ca_certs_dir }}"
path: "{{ item }}"
state: directory
owner: root
group: root
mode: 0700
with_items:
- "{{ ssl_ca_certs_dir }}"
- "{{ etcd_certs_dir }}"
- name: Get list of Postgres conf files
find:
@ -109,54 +112,9 @@
- "grubby --update-kernel={{ grub_kernel_output.stdout_lines[0] }} --args='{{ default_security_feature }}'"
- "grubby --efi --update-kernel={{ grub_kernel_output.stdout_lines[0] }} --args='{{ default_security_feature }}'"
- block:
- name: Resize logical volumes
include: resize_logical_volume.yml
with_items:
- { size: "10G", lv: "/dev/cgts-vg/pgsql-lv" }
- { size: "10G", lv: "/dev/cgts-vg/platform-lv" }
- { size: "5G", lv: "/dev/cgts-vg/etcd-lv" }
- { size: "16G", lv: "/dev/cgts-vg/dockerdistribution-lv" }
- { size: "20G", lv: "/dev/cgts-vg/backup-lv" }
- { size: "30G", lv: "/dev/cgts-vg/docker-lv" }
- { size: "10G", lv: "/dev/cgts-vg/kubelet-lv" }
- { size: "16G", lv: "/dev/cgts-vg/scratch-lv" }
- name: Gather drbd status
command: drbd-overview
register: drbd_result
- name: Resize filesystems (default)
command: "{{ item }}"
failed_when: false
with_items:
- resize2fs /dev/cgts-vg/backup-lv
- xfs_growfs /dev/cgts-vg/docker-lv
- resize2fs /dev/cgts-vg/kubelet-lv
- resize2fs /dev/cgts-vg/scratch-lv
- name: Resize drbd filesystems (default)
include: resize_drbd.yml
with_items:
- { resource: "drbd-pgsql/0", device: "drbd0" }
- { resource: "drbd-platform/0", device: "drbd2" }
- { resource: "drbd-etcd/0", device: "drbd7" }
- { resource: "drbd-dockerdistribution/0", device: "drbd8" }
when: root_disk_size|int >= minimum_small_root_disk_size
- block:
- name: Further resize if root disk size is larger than 240G
include: resize_logical_volume.yml
with_items:
- { size: "20G", lv: "/dev/cgts-vg/pgsql-lv" }
- { size: "25G", lv: "/dev/cgts-vg/backup-lv" }
- name: Resize filesystems
command: "{{ item }}"
failed_when: false
with_items:
- resize2fs /dev/cgts-vg/backup-lv
- name: Further resize drbd filesystems
include: resize_drbd.yml
with_items:
- { resource: "drbd-pgsql/0", device: "drbd0" }
when: root_disk_size|int > small_root_disk_size
- name: Record drbd status
debug: var=drbd_result.stdout_lines

28
playbookconfig/src/playbooks/roles/bootstrap/persist-config/tasks/resize_drbd.yml
View File

@ -1,28 +0,0 @@
---
#
# Copyright (c) 2020 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# SUB-TASKS DESCRIPTION:
# - Resize drbd filesytems
# - After issuing the drbdadm resize, a pause is also required prior to
# performing the resize2fs operation.
#
# There does not appear to be much observability into drbdadm resize
# at /proc/drbd or drbd-overview, so a pause is introduced. The pause needed
# to be at least 1 second as per observations in virtual and hardware labs,
# AIO and Standard controllers.
#
- name: Resize drbd resource {{ item.resource }}
command: "drbdadm -- --assume-peer-has-space resize {{ item.resource }}"
# Pause for 10 seconds to mimic this workaround. When moving to drbd9 this can be removed
# https://github.com/LINBIT/drbd-utils/commit/b12e02eb8ac83aeb0a2165810d91dc3f5d20c83f
- name: Pause 10 seconds for drbd resize
pause:
seconds: 10
- name: Resize filesystem {{ item.device }}
command: "resize2fs /dev/{{ item.device }}"

26
playbookconfig/src/playbooks/roles/bootstrap/persist-config/tasks/resize_logical_volume.yml
View File

@ -1,26 +0,0 @@
---
#
# Copyright (c) 2020 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# SUB-TASKS DESCRIPTION:
# - Resize some filesytems
# - Remove stale data at the end of LV block device
#
- name: Resize logical volume {{ item.lv }}
command: "lvextend -L{{ item.size }} {{ item.lv }}"
register: res
failed_when: false
- name: Fail if file system resizing failed for a reason other than it has been done already
fail:
msg: "{{ item.lv }} resize failed for the following reason: {{ res.stderr }}."
when: res.rc !=0 and res.stderr is not search('matches existing size') and
res.stderr is not search('not larger than existing size')
- name: Remove stale data at the end of LV block device
shell: "seek_end=$(($(blockdev --getsz {{ item.lv }})/2048 - 10));
dd if=/dev/zero of={{ item.lv }} bs=1M count=10 seek=${seek_end} "
when: res.rc == 0

8
playbookconfig/src/playbooks/roles/bootstrap/persist-config/tasks/shutdown_services.yml
View File

@ -54,16 +54,16 @@
warn: false
- block:
- name: Restart etcd
- name: Stop etcd
systemd:
name: etcd
state: restarted
state: stopped
rescue:
- name: Etcd failed to restart, try one more time
- name: Etcd failed to stop, try one more time
systemd:
name: etcd
state: restarted
state: stopped
- block: # Revert configuration to loopback interface

33
playbookconfig/src/playbooks/roles/bootstrap/persist-config/tasks/update_sysinv_database.yml
View File

@ -98,22 +98,29 @@
msg: Timeout waiting for system controller database configuration to complete
when: distributed_cloud_role == 'systemcontroller'
- block:
- name: Update sysinv with new region name
replace:
path: /etc/sysinv/sysinv.conf
regexp: "region_name=.*$"
replace: "region_name={{ region_name }}"
- name: Restart sysinv-agent and sysinv-api to pick up sysinv.conf update
command: "{{ item }}"
with_items:
- /etc/init.d/sysinv-agent restart
- /usr/lib/ocf/resource.d/platform/sysinv-api reload
environment:
OCF_ROOT: "/usr/lib/ocf"
- name: Update sysinv with new region name
replace:
path: /etc/sysinv/sysinv.conf
regexp: "region_name=.*$"
replace: "region_name={{ region_name }}"
when: distributed_cloud_role == 'subcloud'
- name: Restart sysinv-agent and sysinv-api to pick up sysinv.conf update
command: "{{ item }}"
with_items:
- /etc/init.d/sysinv-agent restart
- /usr/lib/ocf/resource.d/platform/sysinv-api reload
environment:
OCF_ROOT: "/usr/lib/ocf"
- name: Wait for sysinv inventory
wait_for:
path: /var/run/sysinv/.sysinv_reported
state: present
timeout: 600
msg: Timeout waiting for system inventory to complete
- name: Set flag to mark the initial db population completed milestone
file:
path: "{{ initial_db_populated_flag }}"

7
playbookconfig/src/playbooks/roles/bootstrap/persist-config/vars/main.yml
View File

@ -6,7 +6,6 @@ default_security_feature: "nopti nospectre_v2 nospectre_v1"
temp_ssl_ca: "/tmp/ca-cert.pem"
ssl_ca_complete_flag: /etc/platform/.ssl_ca_complete
region_config: no
# The default disk size thresholds must align with the ones in
# config/.../sysinv/common/constants.py
small_root_disk_size: 240
minimum_small_root_disk_size: 181
source_device_image_bind_dir: /opt/platform/device_images
target_device_image_bind_dir: /www/pages/device_images
etcd_certs_dir: "{{ config_permdir + '/etcd' }}"

4
playbookconfig/src/playbooks/roles/bootstrap/prepare-env/tasks/main.yml
View File

@ -108,6 +108,10 @@
docker.elastic.co:
url: docker.elastic.co
- name: Save the list of user defined registry keys
set_fact:
user_defined_registry_keys: "{{ docker_registries.keys() | list }}"
- name: Merge user and default registries dictionaries
set_fact:
docker_registries: "{{ default_docker_registries | combine(docker_registries) }}"

4
playbookconfig/src/playbooks/roles/bootstrap/prepare-env/tasks/restore_prep_tasks.yml
View File

@ -62,7 +62,7 @@
*/{{ temp_ssl_ca_file }}*
args:
warn: false
ignore_errors: yes
failed_when: false
- name: Check that ssl_ca certificate exists
stat:
@ -80,7 +80,7 @@
--overwrite --transform='s,.*/,,' '{{ archive_config_permdir }}/enabled_kube_plugins'
args:
warn: false
ignore_errors: yes
failed_when: false
- name: Check that enabled_kube_plugins exists
stat:

6
playbookconfig/src/playbooks/roles/bootstrap/validate-config/tasks/main.yml
View File

@ -8,6 +8,12 @@
# This role is to validate and save host (non secure) config.
#
- name: Fail if any of the configured registry keys is unknown
fail:
msg: "Unknown registry key: '{{ item }}'. Acceptable keys are {{ known_registry_keys|join(', ') }} "
when: not item in known_registry_keys
with_items: "{{ user_defined_registry_keys }}"
# error check the password section of docker registries
# check password parameters before trying to hide the password
# we need to do that here as opposed to with the other docker registry

4
playbookconfig/src/playbooks/roles/bootstrap/validate-config/tasks/purge_application.yml
View File

@ -20,7 +20,7 @@
- block:
- name: Remove application
shell: "source /etc/platform/openrc; system application-remove {{ application }}"
shell: "source /etc/platform/openrc; system application-remove --force {{ application }}"
- name: Wait until application is in the uploaded state
shell: "source /etc/platform/openrc; system application-show {{ application }}
@ -34,4 +34,4 @@
# expect applications to be in the uploaded state now
# because of above check leaving 2 possible states and above code eliminating "applied"
- name: Delete application
shell: "source /etc/platform/openrc; system application-delete {{ application }}"
shell: "source /etc/platform/openrc; system application-delete --force {{ application }}"

8
playbookconfig/src/playbooks/roles/bootstrap/validate-config/vars/main.yml
View File

@ -15,3 +15,11 @@ system_controller_floating_address: none
system_controller_subnet: none
system_controller_oam_floating_address: none
system_controller_oam_subnet: none
known_registry_keys:
- quay.io
- gcr.io
- k8s.gcr.io
- docker.io
- docker.elastic.co
- defaults

164
playbookconfig/src/playbooks/roles/common/armada-helm/tasks/main.yml Normal file
View File

@ -0,0 +1,164 @@
---
#
# Copyright (c) 2020 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# ROLE DESCRIPTION:
# This role is to perform tasks that configure and launch containerized Armada.
#
# For the IPv6 system, the CIDR address should be changed to IPv6 to allow
# users from IPv6 address to access DB (ie. tiller running in container)
- block:
- name: Update postgresql pg_hba.conf with IPv6 address if system is IPv6
command: "{{ item }}"
args:
warn: false
with_items:
- "sed -i -e 's|0.0.0.0/0|::0/0|g' /etc/postgresql/pg_hba.conf"
- "sed -i -e 's|0.0.0.0/32|::0/128|g' /etc/postgresql/pg_hba.conf"
- name: Restart postgresql
systemd:
name: postgresql
state: restarted
when: (mode != 'upgrade_k8s_armada_helm' and
ipv6_addressing is defined and ipv6_addressing != False)
- name: Get Helm SQL database password
vars:
script_content: |
import keyring
password = keyring.get_password("helmv2", "database")
if not password:
raise Exception("Helm database password not found.")
print password
shell: "{{ script_content }}"
args:
executable: /usr/bin/python
register: helm_sql_database_password
- name: Set Armada overrides
set_fact:
helm_charts_url: "http://{{ controller_floating_address | ipwrap }}:{{ helm_repo_port }}/helm_charts"
helm_sql_connection_address: "postgresql://admin-helmv2:{{ helm_sql_database_password.stdout }}@{{
controller_floating_address | ipwrap }}:5432/helmv2?sslmode=disable"
helm_sql_endpoint_ip: "{{ controller_floating_address | ipwrap }}"
- name: Configure and launch containerized Armada
block:
- name: Add Helm repos
command: /sbin/helm repo add "{{ item }}" "http://127.0.0.1:{{ helm_repo_port }}/helm_charts/{{ item }}" --debug
with_items:
- "{{ helm_repo_name_apps }}"
- "{{ helm_repo_name_platform }}"
- name: Update Helm repos
command: /sbin/helm repo update --debug
- name: Create Armada overrides
template:
src: "roles/common/armada-helm/templates/armada-overrides.yaml.j2"
dest: "/tmp/armada-overrides.yaml"
become_user: sysadmin
- name: Create namespace for Armada
command: >
kubectl create namespace {{ armada_namespace }}
failed_when: false
register: create_ns
- name: Fail if creating namespace fails
fail:
msg: "Failed to create {{ armada_namespace }} namespace. Error: {{ create_ns.stderr }}"
when: create_ns.rc is defined and create_ns.rc !=0 and
create_ns.stderr is not search('AlreadyExists')
# Retrieve local registry credentials if it's unknown
- block:
- name: Get local registry credentials
vars:
script_content: |
import keyring
password = keyring.get_password("sysinv", "services")
if not password:
raise Exception("Local registry password not found.")
print dict(username='sysinv', password=str(password))
shell: "{{ script_content }}"
args:
executable: /usr/bin/python
register: local_registry_credentials_output
- set_fact:
local_registry_credentials: "{{ local_registry_credentials_output.stdout }}"
local_registry: "registry.local:9001"
when: local_registry_credentials is not defined
- name: Check if secret exists
command: kubectl -n {{ armada_namespace }} get secret {{ armada_secret_name }}
failed_when: false
register: armada_get_secret
- name: Create secret if it doesn't exist
command: >-
kubectl -n {{ armada_namespace }} create secret docker-registry {{ armada_secret_name }}
--docker-server={{ local_registry }}
--docker-username={{ local_registry_credentials['username'] }}
--docker-password={{ local_registry_credentials['password'] }}
when: armada_get_secret.rc is defined and armada_get_secret.rc !=0 and
armada_get_secret.stderr is search('NotFound')
# Configure sane node label values that work with armada node selector
- name: Create Armada node label
command: >
kubectl label node controller-0 armada=enabled --overwrite=true
# To prevent helm-upload requiring sudo and a tty for password,
# become the intended www user.
- name: Upload Armada charts
become_user: www
command: >
/usr/local/sbin/helm-upload stx-platform /opt/extracharts/armada-0.1.0.tgz
- name: Update info of available charts from chart repos
command: >
/sbin/helm repo update --debug
- name: Check if Armada revisions exists
command: >-
/sbin/helm status armada
--namespace {{ armada_namespace }}
failed_when: false
register: armada_check
- name: Uninstall Armada revisions
command: >-
/sbin/helm uninstall
--namespace {{ armada_namespace }} armada
when: armada_check.rc == 0
- name: Launch Armada with Helm v3
command: >-
/sbin/helm upgrade --install armada stx-platform/armada
--namespace {{ armada_namespace }}
--values /tmp/armada-overrides.yaml
--debug
# For the armada upgrade during system upgrade, wait until
# armada pod is in a ready state before marking it as successful.
# This is needed as helm releases migration should be done
# after tiller is running with SQL backend
- name: Launch Armada with Helm v3 (Upgrade armada)
command: >-
/sbin/helm upgrade --install armada stx-platform/armada
--namespace {{ armada_namespace }}
--values /tmp/armada-overrides.yaml
--wait
--debug
when: mode == "upgrade_k8s_armada_helm"
become_user: sysadmin
environment:
KUBECONFIG: /etc/kubernetes/admin.conf
HOME: /home/sysadmin

35
playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/templates/armada-overrides.yaml.j2 → playbookconfig/src/playbooks/roles/common/armada-helm/templates/armada-overrides.yaml.j2
View File

@ -20,6 +20,13 @@ pod:
type: none
replicas:
api: 1
# When updating armada, the old pod is terminated after the new pod is ready.
# This allows "helm install/upgrade" with --wait to work when replicas is 1.
lifecycle:
upgrades:
deployments:
rolling_update:
max_unavailable: 0
probes:
armada:
api:
@ -37,9 +44,9 @@ pod:
liveness:
enabled: true
params:
failureThreshold: 3
failureThreshold: 2
initialDelaySeconds: 1
periodSeconds: 10
periodSeconds: 4
successThreshold: 1
timeoutSeconds: 1
readiness:
@ -50,25 +57,6 @@ pod:
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
endpoints:
identity:
auth:
armada:
password: "{{ armada_default_password }}"
project_domain_name: default
project_name: default
region_name: RegionOne
user_domain_name: default
username: admin
armada:
password: "{{ armada_password }}"
project_domain_name: {{ armada_domain }}
project_name: service
region_name: RegionOne
user_domain_name: {{ armada_domain }}
username: "{{ armada_user }}"
host_fqdn_override:
default: "{{ controller_floating_address }}"
dependencies:
static:
api:
@ -85,9 +73,14 @@ manifests:
job_ks_service: false
job_ks_endpoints: false
job_ks_user: false
secret_keystone: false
conf:
tiller:
charts_url: {{ helm_charts_url }}
repo_names:
- {{ helm_repo_name_apps }}
- {{ helm_repo_name_platform }}
storage: sql
sql_dialect: postgres
sql_connection: {{ helm_sql_connection_address }}
sql_endpoint_ip: {{ helm_sql_endpoint_ip }}

3
playbookconfig/src/playbooks/roles/common/armada-helm/vars/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
armada_namespace: armada
armada_secret_name: default-registry-key

129
playbookconfig/src/playbooks/roles/common/create-etcd-certs/tasks/main.yml Normal file
View File

@ -0,0 +1,129 @@
---
#
# Copyright (c) 2020 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (c) 2021 Wind River Systems, Inc.
#
# ROLE DESCRIPTION:
# Create etcd server and client certs and key.
- name: Generate private key for etcd server and client
openssl_privatekey:
path: "/etc/etcd/{{ item }}.key"
type: RSA
size: 4096
state: present
force: true
with_items:
- "etcd-server"
- "apiserver-etcd-client"
- "etcd-client"
- name: Generate CSRs for etcd server and client
openssl_csr:
path: "/etc/etcd/{{ item }}.csr"
privatekey_path: "/etc/etcd/{{ item }}.key"
common_name: "{{ item }}"
key_usage:
- digitalSignature
extended_key_usage:
- serverAuth
- clientAuth
subject_alt_name:
- IP:{{ cluster_floating_address }}
- IP:127.0.0.1
force: true
with_items:
- "etcd-server"
- "apiserver-etcd-client"
- name: Generate CSRs for etcd root client
openssl_csr:
path: "/etc/etcd/{{ item }}.csr"
privatekey_path: "/etc/etcd/{{ item }}.key"
common_name: "root"
key_usage:
- digitalSignature
extended_key_usage:
- serverAuth
- clientAuth
force: true
with_items:
- "etcd-client"
- name: Check if CA exists
stat:
path: /etc/kubernetes/pki/ca.crt
register: ca_file
- name: Copy existed CA
copy:
src: "/etc/kubernetes/pki/{{ item }}"
dest: "/etc/etcd/{{ item }}"
remote_src: yes
force: yes
with_items:
- "ca.crt"
- "ca.key"
when: ca_file.stat.exists
- name: copy user specified CA
copy:
src: "{{ item }}"
dest: "/etc/etcd/{{ item }}"
remote_src: yes
force: yes
with_items:
- "{{k8s_root_ca_cert}}"
- "{{k8s_root_ca_key}}"
when: (k8s_root_ca_cert)
- block:
- name: Generate private key for kubernetes-ca
# Reuse this kubernetes-ca for the etcd-ca,
# will copy to /etc/kubernetes/pki later
openssl_privatekey:
path: "/etc/etcd/ca.key"
type: RSA
size: 4096
state: present
force: true
- name: Generate CSR for kubernetes-ca
openssl_csr:
path: "/etc/etcd/ca.csr"
privatekey_path: "/etc/etcd/ca.key"
common_name: kubernetes
basic_constraints:
- CA:true
- pathlen:1
basic_constraints_critical: True
key_usage:
- keyCertSign
- digitalSignature
force: true
- name: Generate self-signed CA certificate
openssl_certificate:
path: "/etc/etcd/ca.crt"
privatekey_path: "/etc/etcd/ca.key"
csr_path: "/etc/etcd/ca.csr"
provider: selfsigned
force: true
when: not ca_file.stat.exists and k8s_root_ca_cert == ''
- name: Generate certs signed with kubernetes CA certificate"
openssl_certificate:
path: "/etc/etcd/{{ item }}.crt"
csr_path: "/etc/etcd/{{ item }}.csr"
ownca_path: "/etc/etcd/ca.crt"
ownca_privatekey_path: "/etc/etcd/ca.key"
provider: ownca
force: true
with_items:
- "etcd-server"
- "apiserver-etcd-client"
- "etcd-client"

7
playbookconfig/src/playbooks/roles/common/files/kubeadm.yaml.erb
View File

@ -4,6 +4,10 @@ localAPIEndpoint:
advertiseAddress: <%= @apiserver_advertise_address %>
nodeRegistration:
criSocket: "/var/run/containerd/containerd.sock"
# configure kubeadm to not apply the default
# taint "node-role.kubernetes.io/master:NoSchedule"
# to control plane nodes
taints: []
---
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
@ -40,6 +44,9 @@ etcd:
external:
endpoints:
- <%= @etcd_endpoint %>
caFile: /etc/kubernetes/pki/ca.crt
certFile: /etc/kubernetes/pki/apiserver-etcd-client.crt
keyFile: /etc/kubernetes/pki/apiserver-etcd-client.key
imageRepository: "registry.local:9001/k8s.gcr.io"
kubernetesVersion: v1.18.1
networking:

28
playbookconfig/src/playbooks/roles/common/host-lock/tasks/main.yml Normal file
View File

@ -0,0 +1,28 @@
---
#
# Copyright (c) 2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
- name: Query administrative state
shell: source /etc/platform/openrc; system host-show {{ target_host }} --column administrative --format value
register: administrative_state
- block:
- name: Lock host
shell: source /etc/platform/openrc; system host-lock {{ target_host }}
retries: 10
delay: 30
register: result
until: result.rc == 0
- name: Wait for lock
shell: source /etc/platform/openrc; system host-show {{ target_host }} --column administrative --format value
register: check_lock
failed_when: false
retries: 30
delay: 10
until: check_lock.stdout == "locked"
when: administrative_state.stdout != "locked"

13
playbookconfig/src/playbooks/roles/common/host-unlock/tasks/main.yml Normal file
View File

@ -0,0 +1,13 @@
---
#
# Copyright (c) 2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
- name: Unlock host
shell: source /etc/platform/openrc; system host-unlock {{ target_host }}
retries: 10
delay: 30
register: result
until: result.rc == 0

88
playbookconfig/src/playbooks/roles/common/load-images-information/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
#
# Copyright (c) 2020 Wind River Systems, Inc.
# Copyright (c) 2020-2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
@ -24,11 +24,70 @@
- set_fact:
kubernetes_images: "{{ kubernetes_images_output.stdout_lines }}"
- include_vars:
- name: Read in system images list
include_vars:
dir: "vars/k8s-{{ kubernetes_version }}"
files_matching: "system-images.yml"
- name: Get the list of platform images
# Optional system images can be addded in {{ additional_system_images_conf_file }}
# under {{ additional_system_images_conf_path }}.
# Additional static images can be introduced in this file, e.g.
# additional_static_images_list:
# image1_name: <registry-url>/image1:v1.0
# image2_name: <registry-url>/image2:v2.0
# Additional static images required or a DC controller only can also be introduced
# in this file, e.g.
# additional_system_controller_static_images_list:
# image3_name: <registry-url>/image3:v3.0
# image4_name: <registry-url>/image4:v4.0
- name: Check if additional image config file exists
stat:
path: "{{ additional_system_images_conf_path + '/' + additional_system_images_conf_file }}"
register: additional_config_file
- name: Read in additional system images list(s) in localhost
include_vars:
file: "{{ additional_config_file.stat.path }}"
when: additional_config_file.stat.exists and
inventory_hostname == "localhost"
# When invoking the playbook remotely, the additional config file locates in the remote
# host may not also exist in the control host, fetch it to the control host to prevent
# include_vars failure.
- block:
- name: Create a temporary file on remote
tempfile:
state: file
prefix: "additional_images_"
register: additional_system_images_temp_file
- name: Fetch the additional images config in case the playbook is executed remotely
fetch:
src: "{{ additional_config_file.stat.path }}"
dest: "{{ additional_system_images_temp_file.path }}"
flat: yes
- name: Read in additional system images list(s) fetched from remote
include_vars:
file: "{{ additional_system_images_temp_file.path }}"
- name: Remove the temporary file on remote
file:
path: "{{ additional_system_images_temp_file.path }}"
state: absent
delegate_to: "{{ inventory_hostname }}"
- name: Remove override temp file on Ansible control host
file:
path: "{{ additional_system_images_temp_file.path }}"
state: absent
delegate_to: localhost
become: no
when: additional_config_file.stat.exists and
inventory_hostname != "localhost"
- name: Categorize system images
set_fact:
networking_images:
- "{{ calico_cni_img }}"
@ -45,4 +104,27 @@
- "{{ kubernetes_entrypoint_img }}"
storage_images:
- "{{ snapshot_controller_img }}"
- name: Append additional static images if provisioned
set_fact:
static_images: "{{ static_images }} + [ '{{item.value}}' ]"
with_items: "{{ additional_static_images_list | default({})| dict2items }}"
when: additional_static_images_list is defined
- block:
- name: Append RVMC image for a DC system controller
set_fact:
static_images: "{{ static_images }} + [ '{{ rvmc_img }}' ]"
- name: Append additional static images for a DC system controller if provisioned
set_fact:
static_images: "{{ static_images }} + [ '{{item.value}}' ]"
with_items: "{{ additional_system_controller_static_images_list | default({})| dict2items }}"
when: additional_system_controller_static_images_list is defined
when: (distributed_cloud_role is defined and
distributed_cloud_role == 'systemcontroller') or
(check_dc_controller is defined and
check_dc_controller.rc == 0)
when: kubernetes_version is defined

3
playbookconfig/src/playbooks/roles/common/load-images-information/vars/k8s-v1.18.1/system-images.yml
View File

@ -9,9 +9,10 @@ calico_node_img: quay.io/calico/node:v3.12.0
calico_kube_controllers_img: quay.io/calico/kube-controllers:v3.12.0
calico_flexvol_img: quay.io/calico/pod2daemon-flexvol:v3.12.0
multus_img: docker.io/nfvpe/multus:v3.4
sriov_cni_img: docker.io/starlingx/k8s-cni-sriov:stx.3.0-v2.2
sriov_cni_img: docker.io/starlingx/k8s-cni-sriov:stx.5.0-v2.6-7-gb18123d8
sriov_network_device_img: docker.io/starlingx/k8s-plugins-sriov-network-device:stx.4.0-v3.2-16-g4e0302ae
# Keep the snapshot-controller image in sync with the one provided at:
# cluster/addons/volumesnapshots/volume-snapshot-controller/volume-snapshot-controller-deployment.yaml
# in the kubernetes github repo
snapshot_controller_img: quay.io/k8scsi/snapshot-controller:v2.0.0-rc2
rvmc_img: docker.io/starlingx/rvmc:stx.5.0-v1.0.0

8
playbookconfig/src/playbooks/roles/common/load-images-information/vars/main.yml Normal file
View File

@ -0,0 +1,8 @@
---
#
# Copyright (c) 2020 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
additional_system_images_conf_path: /usr/share/additional-config
additional_system_images_conf_file: additional-system-images.yml

13
playbookconfig/src/playbooks/roles/common/push-docker-images/files/download_images.py
View File

@ -87,8 +87,17 @@ def download_an_image(img):
# as opae container runs via docker.
# TODO: run opae with containerd.
if not ('n3000-opae' in target_img):
client.remove_image(target_img)
client.remove_image(local_img)
delete_warn = "WARNING: Image %s was not deleted because it was not " \
"present into the local docker filesystem"
if client.images(target_img):
client.remove_image(target_img)
else:
print(delete_warn % target_img)
if client.images(local_img):
client.remove_image(local_img)
else:
print(delete_warn % local_img)
return target_img, True
except docker.errors.NotFound as e:
print(err_msg + str(e))

10
playbookconfig/src/playbooks/roles/common/push-docker-images/files/push_pull_local_registry.py
View File

@ -54,7 +54,15 @@ def push_from_filesystem(image):
subprocess.check_call(["crictl", "pull", "--creds",
auth_str, image])
print("Image %s download succeeded by containerd" % image)
client.remove_image(image)
# Clean up docker images except for n3000-opae
# as opae container runs via docker.
# TODO: run opae with containerd.
if not ('n3000-opae' in image):
if client.images(image):
client.remove_image(image)
else:
print("WARNING: Image %s was not deleted because it "
"was not present into the local docker filesystem" % image)
return image, True
except docker.errors.APIError as e:
print(err_msg + str(e))

12
playbookconfig/src/playbooks/roles/common/push-docker-images/tasks/main.yml
View File

@ -9,6 +9,11 @@
# from public/private registries and push to local registry.
#
- name: Set default values for docker_http_proxy and docker_https_proxy if they are undefined
set_fact:
docker_http_proxy: "{{ docker_http_proxy|default('') }}"
docker_https_proxy: "{{ docker_https_proxy|default('') }}"
- name: Get docker registries if not in bootstap or restore mode
include: get_docker_registry.yml registry={{ item }}
with_items:
@ -93,6 +98,10 @@
registry: "{{ item['url'] }}"
username: "{{ item['username'] }}"
password: "{{ item['password'] }}"
register: login_result
retries: 10
delay: 5
until: login_result is succeeded
with_items:
- "{{ k8s_registry }}"
- "{{ gcr_registry }}"
@ -123,6 +132,9 @@
- name: Download images and push to local registry
script: download_images.py {{ download_images }}
register: download_images_output
retries: 10
delay: 5
until: download_images_output.rc == 0
environment:
REGISTRIES: "{{ registries | to_json }}"

28
playbookconfig/src/playbooks/roles/bootstrap/bringup-bootstrap-applications/tasks/setup_sc_adminep_certs.yml → playbookconfig/src/playbooks/roles/common/setup-subcloud-adminep-certs/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
#
# copyright (c) 2020 Wind River Systems, Inc.
# copyright (c) 2020-21 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
@ -85,31 +85,6 @@
kubectl --kubeconfig=/etc/kubernetes/admin.conf -n "{{ sc_adminep_ca_cert_ns }}"
wait --for=condition=ready certificate "{{ sc_adminep_cert_secret }}" --timeout=30s
- name: Extract subcloud admin endpoint certificate
shell: >-
kubectl --kubeconfig=/etc/kubernetes/admin.conf get secret "{{ sc_adminep_cert_secret }}"
-n "{{ sc_adminep_ca_cert_ns }}" -o=jsonpath='{.data.tls\.crt}'
| base64 --decode > "{{ sc_adminep_temp_dir }}/{{ sc_adminep_cert }}"
- name: Extract subcloud admin endpoint key
shell: >-
kubectl --kubeconfig=/etc/kubernetes/admin.conf get secret "{{ sc_adminep_cert_secret }}"
-n "{{ sc_adminep_ca_cert_ns }}" -o=jsonpath='{.data.tls\.key}'
| base64 --decode > "{{ sc_adminep_temp_dir }}/{{ sc_adminep_key }}"
- name: Create haproxy tls certifcate
shell: >-
cat "{{ sc_adminep_temp_dir }}/{{ sc_adminep_cert }}"
"{{ sc_adminep_temp_dir }}/{{ sc_adminep_key }}"
> "{{ sc_adminep_temp_dir }}/{{ haproxy_adminep_cert }}"
- name: Install haproxy tls certficate
copy:
src: "{{ sc_adminep_temp_dir }}/{{ haproxy_adminep_cert }}"
dest: /etc/ssl/private
remote_src: yes
mode: 0400
- name: Copy admin endpoint certficates to the shared filesystem directory
copy:
src: "{{ item }}"
@ -117,7 +92,6 @@
remote_src: yes
mode: 0400
with_items:
- "/etc/ssl/private/{{ haproxy_adminep_cert }}"
- "/etc/pki/ca-trust/source/anchors/{{ dc_adminep_root_ca_cert }}"
- name: Cleanup temporary working directory

0
playbookconfig/src/playbooks/roles/bootstrap/bringup-bootstrap-applications/templates/setup-sc-adminep-certs.yaml.j2 → playbookconfig/src/playbooks/roles/common/setup-subcloud-adminep-certs/templates/setup-sc-adminep-certs.yaml.j2
View File

1
playbookconfig/src/playbooks/roles/bootstrap/bringup-bootstrap-applications/vars/main.yml → playbookconfig/src/playbooks/roles/common/setup-subcloud-adminep-certs/vars/main.yml
View File

@ -10,4 +10,3 @@ sc_adminep_ca_cert_ns: sc-cert
sc_adminep_cert_duration: 4320h
sc_adminep_cert_renew_before: 720h
setup_sc_adminep_certs_yaml: setup-sc-adminep-certs.yaml
haproxy_adminep_cert: admin-ep-cert.pem

96
playbookconfig/src/playbooks/roles/common/validate-target/tasks/main.yml
View File

@ -1,12 +1,23 @@
---
#
# Copyright (c) 2020 Wind River Systems, Inc.
# Copyright (c) 2020-2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# ROLE DESCRIPTION:
# This role performs checks to ensure the target is combatiable for these playbooks
# This role performs checks to ensure the target is compatible with the playbook
# and is ready for the next step.
#
- set_fact:
check_system: "{{ check_system | default(false) }}"
check_load: "{{ check_load | default(false) }}"
check_bootstrap_address: "{{ check_bootstrap_address | default(false) }}"
check_patches: "{{ check_patches | default(false) }}"
- name: Gather facts if check_bootstrap_address is turned on
setup:
when: check_bootstrap_address and bootstrap_address is defined
- name: Retrieve software version number
# lookup module does not work with /etc/build.info as it does not have ini
# format. Resort to shell source.
@ -27,12 +38,83 @@
msg: "system_type is missing in /etc/platform/platform.conf"
when: system_type_result.stdout_lines|length == 0
- name: Set software version, system type config path facts
- name: Set host software version, system type
set_fact:
software_version: "{{ sw_version_result.stdout_lines[0] }}"
system_type: "{{ system_type_result.stdout_lines[0] }}"
host_software_version: "{{ sw_version_result.stdout }}"
host_system_type: "{{ system_type_result.stdout }}"
- name: Fail if host software version is not supported by this playbook
fail:
msg: "This playbook is not compatible with StarlingX software version {{ software_version }}."
when: software_version not in supported_release_versions
msg: "This playbook is not compatible with StarlingX software version {{ host_software_version }}."
when: host_software_version not in supported_release_versions
# check_system validation, e.g. right after remote fresh install
- name: Check if the system is ready
command: "systemctl is-active multi-user.target"
register: check_active
retries: 30
delay: 40
until: check_active.rc == 0
no_log: true
when: check_system
# check_load validation, e.g. prior to subcloud upgrade/restore of non-Redfish subcloud
- block:
- name: Fail if the host was not installed with the right software version
fail:
msg: >
This host is running {{ host_software_version }}. The expected software
version is {{ software_version }}.
when: host_software_version != software_version
when: check_load and software_version is defined
# check_bootstrap_address - e.g. prior to subcloud restore of non-Redfish subcloud
- block:
- set_fact:
ipv4_addressing: "{{ bootstrap_address | ipv4 }}"
ipv6_addressing: "{{ bootstrap_address | ipv6 }}"
- name: Fail if the boot address does not exist in this host (IPv4)
fail:
msg: >-
The specified bootstrap address {{ bootstrap_address }} does
not exist on this host. All IPv4 addresses existing on this
host are {{ ansible_all_ipv4_addresses }}.
when: (ipv4_addressing) and
(bootstrap_address not in ansible_all_ipv4_addresses)
- name: Fail if the boot address does not exist in this host (IPv6)
fail:
msg: >-
The specified bootstrap address {{ bootstrap_address }} does
not exist on this host. All IPv6 addresses existing on this
host are {{ ansible_all_ipv6_addresses }}.
when: (ipv6_addressing) and
(bootstrap_address not in ansible_all_ipv6_addresses)
when: check_bootstrap_address
# check_patches validation - e.g. prior to subcloud restore of non-Redfish subcloud
- block:
- name: Query list of applied patches on master
shell: sw-patch query|awk '($4 == "Applied" || $4 == "Partial-Applied") {print $1}'
register: master_patch_list
delegate_to: localhost
- name: Query list of applied patches on the target
shell: sw-patch query|awk '($4 == "Applied" || $4 == "Partial-Applied") {print $1}'
register: target_patch_list
- name: Fail if the applied patch list on target differs from that on the master
fail:
msg: >-
The applied patches ({{ target_patch_list.stdout_lines }}) are not the same on the
master ({{ master_patch_list.stdout_lines }})
when: target_patch_list.stdout_lines != master_patch_list.stdout_lines
when: check_patches
# Now that the host has been validated, set the official software version, system type facts
- name: Set software version, system type config path facts
set_fact:
software_version: "{{ host_software_version }}"
system_type: "{{ host_system_type }}"

15
playbookconfig/src/playbooks/roles/provision-edgeworker/prepare-controller/cleanup/tasks/main.yml Normal file
View File

@ -0,0 +1,15 @@
---
#
# Copyright (c) 2021 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
- name: Cleanup temporary files
file:
path: /tmp/edgeworker
state: absent
- name: Remove the provision in progress flag
file:
path: "{{ edgeworker_provision_flag_file }}"
state: absent

66
playbookconfig/src/playbooks/roles/provision-edgeworker/prepare-controller/kubernetes/tasks/main.yml Normal file
View File

@ -0,0 +1,66 @@
---
#
# Copyright (c) 2021 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
- name: Prepare containerd config
command: "cp /etc/containerd/config.toml /tmp/edgeworker/containerd-config.toml"
- name: Change containerd config owner
file:
path: /tmp/edgeworker/containerd-config.toml
owner: "{{ ansible_user }}"
- name: Prepare registry cert
command: "cp /etc/ssl/private/registry-cert.crt /tmp/edgeworker/registry-cert.crt"
- name: Change registry cert owner
file:
path: /tmp/edgeworker/registry-cert.crt
owner: "{{ ansible_user }}"
- name: Prepare docker config and registry cert
command: "cp -r /etc/docker /tmp/edgeworker/docker"
- name: Change docker config owner
file:
path: /tmp/edgeworker/docker
state: directory
recurse: true
owner: "{{ ansible_user }}"
- name: Prepare cgroup setup bash
command: "cp /usr/bin/kubelet-cgroup-setup.sh /tmp/edgeworker/kubelet-cgroup-setup.sh"
- name: Change cgroup setup bash owner
file:
path: /tmp/edgeworker/kubelet-cgroup-setup.sh
owner: "{{ ansible_user }}"
- name: Check kubeadm master
shell: "awk -F '//' '/server/{print$2}' /etc/kubernetes/admin.conf"
register: kubeadm_master_out
- name: Set kubeadm masterip
set_fact:
kubeadm_master: "{{ kubeadm_master_out.stdout }}"
- name: Check kubeadm token
shell: "kubeadm token create"
register: kubeadm_token_create_out
- name: Set kubeadm token
set_fact:
kubeadm_token: "{{ kubeadm_token_create_out.stdout }}"
- name: Get kubeadm ca cert hash
shell: >-
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt |
openssl rsa -pubin -outform der 2>/dev/null |
openssl dgst -sha256 -hex | sed 's/^.* /sha256:/'
register: ca_cert_hash_out
- name: Set kubeadm_ca_cert_hash fact
set_fact:
kubeadm_ca_cert_hash: "{{ ca_cert_hash_out.stdout }}"

99
playbookconfig/src/playbooks/roles/provision-edgeworker/prepare-controller/platform/tasks/main.yml Normal file
View File

@ -0,0 +1,99 @@
---
#
# Copyright (c) 2021 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
- name: Define a flag file to inidicate edgeworker is being provisioned
set_fact:
edgeworker_provision_flag_file: /var/run/edgeworker_provisioning_in_progress
- name: Check if edgeworker playbook is running by other users
stat:
path: "{{ edgeworker_provision_flag_file }}"
register: edgeworker_provision_flag
- name: Fail if another user is provisioning edgeworker nodes
fail:
msg: >
An edgeworker provisioning session is already in progress, if this is not the case,
please remove "{{ edgeworker_provision_flag_file }}" and try again.
when: edgeworker_provision_flag.stat.exists
- name: Create a flag to indicate the provision is in progress
file:
path: "{{ edgeworker_provision_flag_file }}"
state: touch
- name: Cleanup temporary files if previous run failed
file:
path: /tmp/edgeworker
state: absent
- name: Get host list with hostname/ip/uuid/personality
shell: |
source /etc/platform/openrc
system host-list --column hostname --column mgmt_ip --column uuid --column personality --format yaml
register: host_list_result
- name: Set a list for node hostname and ip address
set_fact:
hostname_ip_list: "{{ hostname_ip_list | default({}) | combine({item.hostname: item.mgmt_ip}) }}"
with_items: "{{ host_list_result.stdout | from_yaml }}"
- name: Set ansible_host of edgeworker
add_host:
hostname: '{{ item }}'
ansible_host: '{{ item }}'
ansible_ssh_host: '{{ hostname_ip_list[item] }}'
with_inventory_hostnames:
- edgeworker
- name: Write edgeworker to /etc/hosts
lineinfile:
dest: /etc/hosts
state: present
regexp: "^{{ hostname_ip_list[item] }}"
line: "{{ hostname_ip_list[item] }} {{ item }}"
with_inventory_hostnames:
- edgeworker
- name: Check the edgeworker connectivity
wait_for:
host: "{{ hostvars[item]['ansible_ssh_host'] }}"
port: 22
state: started
delay: 0
delay: 30
retries: 5
failed_when: false
with_inventory_hostnames:
- edgeworker
become: no
- name: Create edgeworker temp directory for configuration files
file:
path: /tmp/edgeworker
state: directory
- name: Create the host overrides file
command: "/usr/bin/sysinv-utils create-host-overrides /tmp/edgeworker/host-overrides.yml"
- name: Read the overrides variables
include_vars:
file: "/tmp/edgeworker/host-overrides.yml"
- name: Set default docker proxy values if not configured
set_fact:
http_proxy: "{{ docker_http_proxy|default('') }}"
https_proxy: "{{ docker_https_proxy|default('') }}"
no_proxy: "{{ docker_no_proxy|default([]) }}"
- name: Get docker registry config
shell: |
source /etc/platform/openrc
system service-parameter-list | awk '/docker-registry/&&/url/{print$10}'
register: docker_registry_result
- set_fact:
docker_registry: "{{ docker_registry_result.stdout }}"

8
playbookconfig/src/playbooks/roles/provision-edgeworker/prepare-edgeworker/kubernetes/defaults/main.yml Normal file
View File

@ -0,0 +1,8 @@
---
#
# Copyright (c) 2021 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
containerd_cfg_dir: /etc/containerd
containerd_bin_dir: /usr/bin

61
playbookconfig/src/playbooks/roles/provision-edgeworker/prepare-edgeworker/kubernetes/handlers/main.yml Normal file
View File

@ -0,0 +1,61 @@
---
#
# Copyright (c) 2021 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
# The dockerd and containerd will be restarted after the config files
# from the controllers are copied to the edgeworker nodes. Then the
# configuration of the daemon will be updated.
#
- name: Restart containerd
command: /bin/true
notify:
- Containerd | restart containerd
- Containerd | wait for containerd
- name: Containerd | restart containerd
systemd:
name: containerd
state: restarted
enabled: yes
daemon-reload: yes
- name: Containerd | wait for containerd
command: "{{ containerd_bin_dir }}/ctr images ls -q"
register: containerd_ready
retries: 8
delay: 4
until: containerd_ready.rc == 0
- name: Restart dockerd
command: /bin/true
notify:
- Docker | reload systemd
- Docker | reload docker
- Docker | wait for docker
- name: Docker | reload systemd
systemd:
daemon_reload: true
- name: Docker | reload docker
service:
name: docker
state: restarted
- name: Docker | wait for docker
command: "{{ docker_bin_dir }}/docker images"
register: docker_ready
retries: 20
delay: 1
until: docker_ready.rc == 0
# This will be called after kubeadm join to update specific node-ip
# and cri socket config.
- name: Restart kubelet
systemd:
name: kubelet
state: restarted
enabled: yes
daemon-reload: yes

23
playbookconfig/src/playbooks/roles/provision-edgeworker/prepare-edgeworker/kubernetes/tasks/configure-networking.yml Normal file
View File

@ -0,0 +1,23 @@
---
#
# Copyright (c) 2021 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
- name: Stat sysctl file configuration
stat:
path: /etc/sysctl.d/99-sysctl.conf
- name: Enable net.ipv4.ip_forward in sysctl
sysctl:
name: net.ipv4.ip_forward
value: 1
sysctl_file: /etc/sysctl.d/99-sysctl.conf
state: present
- name: Add net.ipv4.conf.tunl0.rp_filter in sysctl for calico
lineinfile:
path: /etc/sysctl.conf
line: net.ipv4.conf.tunl0.rp_filter=0
state: present
failed_when: false

69
playbookconfig/src/playbooks/roles/provision-edgeworker/prepare-edgeworker/kubernetes/tasks/configure-registry-cgroup.yml Normal file
View File

@ -0,0 +1,69 @@
---
#
# Copyright (c) 2021 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
- name: Ensure containerd config directory exists
file:
dest: "{{ containerd_cfg_dir }}"
state: directory
mode: 0755
owner: root
group: root
- name: Copy containerd config file to {{ inventory_hostname }}
copy:
src: /tmp/edgeworker/containerd-config.toml
dest: "{{ containerd_cfg_dir }}/config.toml"
force: true
owner: root
group: root
mode: 0600
- name: Ensure registry cert directory exists
file:
dest: /etc/ssl/private
state: directory
mode: 0755
owner: root
group: root
- name: Copy controller docker certificates to /etc/docker on {{ inventory_hostname }}
copy:
src: /tmp/edgeworker/docker/certs.d
dest: /etc/docker/
force: true
owner: root
group: root
- name: Copy controller registry cert file to /etc/ssl/private/ on {{ inventory_hostname }}
copy:
src: /tmp/edgeworker/registry-cert.crt
dest: /etc/ssl/private/registry-cert.crt
force: true
owner: root
group: root
mode: 0400
notify:
- Restart containerd
- name: Copy controller cgroup setup script to {{ inventory_hostname }}
copy:
src: /tmp/edgeworker/kubelet-cgroup-setup.sh
dest: /usr/bin/kubelet-cgroup-setup.sh
force: true
owner: root
group: root
mode: 0700
- name: Add k8s-infra cgroup
command: /usr/bin/kubelet-cgroup-setup.sh
- name: Add k8s-infra cgroup creation in kubelet service
lineinfile:
path: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
state: present
regexp: '^ExecStartPre='
line: 'ExecStartPre=/usr/bin/kubelet-cgroup-setup.sh'
when: ansible_facts['distribution'] == "Ubuntu"

24
playbookconfig/src/playbooks/roles/provision-edgeworker/prepare-edgeworker/kubernetes/tasks/configure-swap.yml Normal file
View File

@ -0,0 +1,24 @@
---
#
# Copyright (c) 2021 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
# Disable swap since kubernetes does not support swap on kubelet nodes
- name: Remove swapfile from /etc/fstab
mount:
name: "{{ item }}"
fstype: swap
state: absent
with_items:
- swap
- none
- name: Check swap
command: /sbin/swapon -s
register: swapon
changed_when: no
- name: Disable swap
command: /sbin/swapoff -a
when: swapon.stdout

65
playbookconfig/src/playbooks/roles/provision-edgeworker/prepare-edgeworker/kubernetes/tasks/install-ubuntu-packages.yml Normal file
View File

@ -0,0 +1,65 @@
---
#
# Copyright (c) 2021 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
- name: Gather variables
include_vars: "vars/ubuntu.yml"
- name: Install prerequisite packages for adding repos and installing kubelet
apt:
pkg:
- apt-transport-https
- ca-certificates
- curl
- gnupg-agent
- software-properties-common
- name: Check if containerd executable exists
stat:
path: /usr/local/bin/containerd
register: containerd_installed
- name: Get containerd version if exists
command: "/usr/local/bin/containerd --version"
register: containerd_installed_ver
when: containerd_installed.stat.exists
- name: Install containerd
unarchive:
src: "https://storage.googleapis.com/cri-containerd-release/cri-containerd-{{ containerd_version }}.linux-amd64.tar.gz"
dest: /
remote_src: yes
environment:
http_proxy: "{{ http_proxy }}"
https_proxy: "{{ https_proxy }}"
no_proxy: "{{ no_proxy }}"
when: (not containerd_installed.stat.exists or containerd_installed_ver.stdout != containerd_version)
- name: Add kubernetes repo key
apt_key:
url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
state: present
environment:
http_proxy: "{{ http_proxy }}"
https_proxy: "{{ https_proxy }}"
no_proxy: "{{ no_proxy }}"
- name: Add kubernetes repo to apt repo
apt_repository:
repo: deb https://apt.kubernetes.io/ kubernetes-xenial main
state: present
- name: Ensure k8s packages are installed
action: "{{ k8s_package_info.pkg_mgr }}"
args:
pkg: "{{ item.name }}"
state: present
force: true
update_cache: true
register: install_task_result
until: install_task_result is succeeded
retries: 5
delay: "{{ retry_stagger | d(5) }}"
with_items: "{{ k8s_package_info.pkgs }}"

68
playbookconfig/src/playbooks/roles/provision-edgeworker/prepare-edgeworker/kubernetes/tasks/join-k8s-cluster.yml Normal file
View File

@ -0,0 +1,68 @@
---
#
# Copyright (c) 2021 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
# These tasks enable edgeworkers joining to STX Kubernetes cluster
#
# 1. Prepare kubelet and containerd configuration
# 2. Join to STX Kubernetes
# 3. Pull Kubernetes images to the edgeworker nodes
#
- name: Add node ip and containerd runtime to kubelet config
lineinfile:
path: "{{ kubelet_extra_config_file }}"
state: present
regexp: '^KUBELET_EXTRA_ARGS='
line: >-
"KUBELET_EXTRA_ARGS=--node-ip={{ ansible_ssh_host }} --container-runtime=remote
--container-runtime-endpoint=unix:///run/containerd/containerd.sock"
create: yes
notify: Restart kubelet
- name: Check if kubelet config exists
stat:
path: /etc/kubernetes/kubelet.conf
register: kubelet_conf_st
- name: Join the {{ inventory_hostname }} with k8s cluster
shell: >-
kubeadm join --token {{ hostvars['localhost']['kubeadm_token'] }}
--discovery-token-ca-cert-hash {{ hostvars['localhost']['kubeadm_ca_cert_hash'] }}
--skip-phases preflight {{ hostvars['localhost']['kubeadm_master'] }}
environment:
no_proxy: "{{ no_proxy }}"
when: not kubelet_conf_st.stat.exists
- name: Modify the default cni bin directory if the Linux distribution is Ubuntu
lineinfile:
path: "{{ kubelet_extra_config_file }}"
regexp: "^(KUBELET_EXTRA_ARGS=.*)$"
line: '\1 --cni-bin-dir /usr/libexec/cni'
backrefs: yes
when: ansible_facts['distribution'] == "Ubuntu"
- name: Get the controller registry credentials
vars:
script_content: |
import keyring
password = str(keyring.get_password("CGCS", "admin"))
if not password:
raise Exception("Local registry password not found.")
print dict(username='admin', password=password)
ansible_connection: local
shell: "{{ script_content }}"
args:
executable: /usr/bin/python
register: local_registry_credentials_output
- set_fact:
local_registry: "registry.local:9001"
local_registry_credentials: "{{ local_registry_credentials_output.stdout }}"
- name: Pull k8s gcr images from controller registry to {{ inventory_hostname }}
shell: >-
kubeadm config images list --kubernetes-version {{ k8s_version }} --image-repository {{ local_registry }}/k8s.gcr.io |
xargs -i sudo crictl pull --creds
{{ local_registry_credentials['username'] }}:{{ local_registry_credentials['password'] }} {}

31
playbookconfig/src/playbooks/roles/provision-edgeworker/prepare-edgeworker/kubernetes/tasks/main.yml Normal file
View File

@ -0,0 +1,31 @@
---
#
# Copyright (c) 2021 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
- name: Get Kubernetes version on the controller
shell: |
kubectl version --client=true --short=true | awk '{print $3}'
register: k8s_ver_result
delegate_to: localhost
- set_fact:
kubernetes_version: "{{ k8s_ver_result.stdout }}"
- include_vars:
dir: "{{ playbook_dir }}/roles/common/load-images-information/vars/k8s-{{ kubernetes_version }}"
files_matching: "system-images.yml"
- import_tasks: configure-swap.yml
- import_tasks: configure-networking.yml
- include_tasks: install-ubuntu-packages.yml
when: ansible_facts['distribution'] == "Ubuntu"
- import_tasks: configure-registry-cgroup.yml
- meta: flush_handlers
- import_tasks: join-k8s-cluster.yml

4
playbookconfig/src/playbooks/roles/provision-edgeworker/prepare-edgeworker/kubernetes/templates/http-proxy.j2 Normal file
View File

@ -0,0 +1,4 @@
[Service]
Environment="HTTP_PROXY={{ http_proxy }}"
Environment="HTTPS_PROXY={{ https_proxy }}"
Environment="NO_PROXY={{ no_proxy }}"

7
playbookconfig/src/playbooks/roles/provision-edgeworker/prepare-edgeworker/kubernetes/templates/kubernetes.repo.j2 Normal file
View File

@ -0,0 +1,7 @@
[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg

34
playbookconfig/src/playbooks/roles/provision-edgeworker/prepare-edgeworker/kubernetes/vars/ubuntu.yml Normal file
View File

@ -0,0 +1,34 @@
---
#
# Copyright (c) 2021 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
containerd_bin_dir: /usr/local/bin
containerd_version: '1.3.0'
containerd_versioned_pkg:
'1.3.3': containerd-1.3.3-0ubuntu1
docker_bin_dir: /usr/bin
docker_version: '18.09.6'
docker_versioned_pkg:
'18.09.6': 5:18.09.6~3-0~ubuntu-bionic
k8s_version: '1.18.1'
kubeadm_versioned_pkg:
'1.16.2': kubeadm=1.16.2-00
'1.18.1': kubeadm=1.18.1-00
kubelet_versioned_pkg:
'1.16.2': kubelet=1.16.2-00
'1.18.1': kubelet=1.18.1-00
k8s_package_info:
pkg_mgr: apt
pkgs:
- name: "{{ kubelet_versioned_pkg[k8s_version | string] }}"
- name: "{{ kubeadm_versioned_pkg[k8s_version | string] }}"
kubelet_extra_config_file: /etc/default/kubelet

26
playbookconfig/src/playbooks/roles/provision-edgeworker/prepare-edgeworker/os/tasks/main.yml Normal file
View File

@ -0,0 +1,26 @@
---
#
# Copyright (c) 2021 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
# Prepare edgeworker OS configuration
#
# Some limitations for edgeworker nodes:
# - The edgeworker nodes do not support IPv6
# - The edgeworker nodes only support Ubuntu as OS
#
- name: Fail if the network address type of the edgeworker node is IPv6
fail:
msg: "IPv6 network addressing is currently not supported for edgeworker nodes."
when: ansible_default_ipv6.keys() | length != 0
- name: Fail if the edgeworker node OS is not Ubuntu
fail:
msg: "The edgeworker node OS must be Ubuntu."
when: ansible_distribution != "Ubuntu"
- import_tasks: prepare-host.yml
- include_tasks: prepare-ubuntu.yml
when: ansible_distribution == "Ubuntu"

37
playbookconfig/src/playbooks/roles/provision-edgeworker/prepare-edgeworker/os/tasks/prepare-host.yml Normal file
View File

@ -0,0 +1,37 @@
---
#
# Copyright (c) 2021 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
- name: Set http_proxy value if configured
set_fact:
http_proxy: "{{ hostvars['localhost']['http_proxy'] }}"
when: hostvars['localhost']['http_proxy'] is defined
- name: Set https_proxy value if configured
set_fact:
https_proxy: "{{ hostvars['localhost']['https_proxy'] }}"
when: hostvars['localhost']['https_proxy'] is defined
- name: Set no_proxy value if configured
set_fact:
no_proxy: "{{ hostvars['localhost']['no_proxy'] }}"
when: hostvars['localhost']['no_proxy'] is defined
- name: Set docker_registry value if configured
set_fact:
docker_registry: "{{ hostvars['localhost']['docker_registry'] }}"
when: hostvars['localhost']['docker_registry'] is defined
- name: Ensure ssh directory exists
file:
dest: "/home/{{ ansible_user }}/.ssh"
state: directory
mode: 0700
owner: "{{ ansible_user }}"
group: "{{ ansible_user }}"
- name: Set hostname
hostname:
name: "{{ ansible_host }}"

137
playbookconfig/src/playbooks/roles/provision-edgeworker/prepare-edgeworker/os/tasks/prepare-ubuntu.yml Normal file
View File

@ -0,0 +1,137 @@
---
#
# Copyright (c) 2021 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
- name: Set management ip address
set_fact:
mgmt_ip_addr: "{{ hostvars['localhost']['hostname_ip_list'][ansible_host] }}"
# Find the management interface name by ip
# Search for specific ip in ipv4.address and ipv4_secondaries list
# Sample output: mgmt_if_name: eno1
- name: Get management network interface name
set_fact:
mgmt_if_name: "{{ item }}"
when: >
(hostvars[ansible_host]['ansible_%s' % item]|default({}))
.get('ipv4', {}).get('address') == mgmt_ip_addr
or
mgmt_ip_addr in ((hostvars[ansible_host]['ansible_%s' % item]|default({}))
.get('ipv4_secondaries'))|map(attribute='address')|list
with_items:
- "{{ ansible_interfaces }}"
- name: Set systemd-networkd interface config
template:
src: 1-interface.network.j2
dest: /etc/systemd/network/1-interface.network
mode: '0644'
# It's a workaround for stx-openstack neutron that
# it mandatorily requires docker0 bridge on the host
- name: Set systemd-networkd bridge config
template:
src: 5-bridge.netdev.j2
dest: /etc/systemd/network/5-bridge.netdev
mode: '0644'
- name: Set systemd-networkd bridge address
template:
src: 5-bridge.network.j2
dest: /etc/systemd/network/5-bridge.network
mode: '0644'
- name: Start systemd-networkd service
systemd:
name: systemd-networkd
daemon_reload: yes
enabled: yes
state: restarted
- name: Read in service facts
service_facts:
- block:
- name: Disable NetworkManager
systemd:
name: NetworkManager
enabled: no
state: stopped
- name: Disable NetworkManager-wait-online
systemd:
name: NetworkManager-wait-online
enabled: no
state: stopped
- name: Disable NetworkManager-dispatcher
systemd:
name: NetworkManager-dispatcher
enabled: no
state: stopped
- name: Disable network-manager
systemd:
name: network-manager
enabled: no
state: stopped
- name: Reboot edgeworker
reboot:
when: >-
("NetworkManager.service" in ansible_facts.services and
ansible_facts.services["NetworkManager.service"].state != "stopped")
- name: Set dns server for systemd-resolved
lineinfile:
dest: /etc/systemd/resolved.conf
state: present
insertbefore: EOF
regexp: "DNS={{ hostvars['localhost']['management_floating_address'] }}"
line: "DNS={{ hostvars['localhost']['management_floating_address'] }}"
- name: Restart systemd-resolved service
systemd:
name: systemd-resolved
daemon_reload: yes
enabled: yes
state: restarted
- name: Add registry.local to hosts
lineinfile:
dest: /etc/hosts
state: present
regexp: "registry.local"
line: "{{ hostvars['localhost']['management_floating_address'] }} registry.local"
- name: Add proxy to apt.conf.d if http_proxy is defined
lineinfile:
path: "/etc/apt/apt.conf.d/10proxy"
regexp: '^Acquire::http::Proxy'
line: 'Acquire::http::Proxy "{{ http_proxy }}";'
create: true
state: present
when:
- http_proxy is defined
- name: Install ntp packages
apt:
pkg:
- ntp
update_cache: yes
- name: Config ntp server
lineinfile:
dest: /etc/ntp.conf
state: present
regexp: "^server {{ hostvars['localhost']['management_floating_address'] }}"
line: "server {{ hostvars['localhost']['management_floating_address'] }}"
- name: Start ntp service
systemd:
name: ntp
enabled: yes
daemon_reload: yes
state: restarted

6
playbookconfig/src/playbooks/roles/provision-edgeworker/prepare-edgeworker/os/templates/1-interface.network.j2 Normal file
View File

@ -0,0 +1,6 @@
[Match]
Name={{ mgmt_if_name }}
[Network]
#Address=
DHCP=yes

3
playbookconfig/src/playbooks/roles/provision-edgeworker/prepare-edgeworker/os/templates/5-bridge.netdev.j2 Normal file
View File

@ -0,0 +1,3 @@
[NetDev]
Name=docker0
Kind=bridge

6
playbookconfig/src/playbooks/roles/provision-edgeworker/prepare-edgeworker/os/templates/5-bridge.network.j2 Normal file
View File

@ -0,0 +1,6 @@
[Match]
Name=docker0
[Network]
Address=172.17.0.1/16
ConfigureWithoutCarrier=yes

2
playbookconfig/src/playbooks/roles/recover-ceph-data/tasks/main.yml
View File

@ -163,7 +163,7 @@
shell: cp -ar /tmp/mon-store/store.db /var/lib/ceph/mon/ceph-{{ mon_name }}
- name: Bring up ceph Monitor and OSDs
command: /etc/init.d/ceph start
command: /etc/init.d/ceph start mon osd
- name: Wait for ceph monitor to be up
shell: ceph -s

23
playbookconfig/src/playbooks/roles/rehome-subcloud/check-services-status/tasks/main.yml Normal file
View File

@ -0,0 +1,23 @@
---
#
# Copyright (c) 2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# ROLE DESCRIPTION:
# This role checks related services are all enabled-active before
# finishing the rehome playbook
#
- name: Wait for 90 secs before check if services come up
wait_for: timeout=90
- name: Check all services are enabled-active
shell: >-
source /etc/platform/openrc; system service-list
| awk 'FNR >= 4 { print $8 }'
| grep -v "enabled-active" | wc -l
register: service_status_result
until: service_status_result.stdout == "1"
retries: 5
delay: 30

68
playbookconfig/src/playbooks/roles/rehome-subcloud/prepare-env/tasks/main.yml Normal file
View File

@ -0,0 +1,68 @@
---
#
# Copyright (c) 2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# This role is to check the target host environment before proceeding to
# the next step.
#
- name: Set config path facts
set_fact:
config_permdir: "{{ platform_path + '/config/' + software_version }}"
puppet_permdir: "{{ platform_path + '/puppet/' + software_version }}"
- name: Set network facts
set_fact:
controller_floating_address: "{{ management_start_address }}"
external_oam_node_0_address: "{{ external_oam_node_0_address | default('derived') }}"
- name: Set derived facts for subsequent tasks/roles
set_fact:
derived_network_params:
'controller_0_address': "{{ controller_floating_address|ipmath(1) }}"
'controller_1_address': "{{ controller_floating_address|ipmath(2) }}"
'oam_start_address': "{{ external_oam_node_0_address if external_oam_node_0_address != 'derived'
else external_oam_floating_address | ipmath(1) }}"
- name: Get existing docker no_proxy
shell: >-
source /etc/platform/openrc; system service-parameter-list |
awk '($4 == "docker" && $8 == "no_proxy") {print $2}'
register: existing_docker_no_proxy_result
- block:
- name: Set subcloud docker no_proxy facts
set_fact:
subcloud_no_proxy:
- localhost
- 127.0.0.1
- registry.local
- "{{ (cluster_service_subnet | ipaddr(1)).split('/')[0] }}"
- "{{ controller_floating_address }}"
- "{{ derived_network_params.controller_0_address }}"
- "{{ external_oam_floating_address }}"
- "{{ derived_network_params.oam_start_address }}"
- registry.central
- "{{ system_controller_oam_floating_address }}"
docker_no_proxy_combined: []
- name: Add user defined no-proxy address list to subcloud no proxy list
set_fact:
docker_no_proxy_combined: "{{ subcloud_no_proxy | union(docker_no_proxy) | ipwrap | unique }}"
when: existing_docker_no_proxy_result.stdout | length > 0
- name: Get management interface of controller-0
shell: >-
source /etc/platform/openrc; system interface-network-list controller-0 |
awk '$8 == "mgmt" { print $6 }'
register: controller_0_management_interface_result
- name: Get management interface of controller-1 if the subcloud is not simplex
shell: >-
source /etc/platform/openrc; system interface-network-list controller-1 |
awk '$8 == "mgmt" { print $6 }'
register: controller_1_management_interface_result
when: system_mode != 'simplex'

9
playbookconfig/src/playbooks/roles/rehome-subcloud/prepare-env/vars/main.yml Normal file
View File

@ -0,0 +1,9 @@
---
#
# Copyright (c) 2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
platform_path: /opt/platform
puppet_path: /opt/platform/puppet

138
playbookconfig/src/playbooks/roles/rehome-subcloud/update-keystone-data/files/migrate_keystone_ids.py Normal file
View File

@ -0,0 +1,138 @@
#!/usr/bin/python
#
# Copyright (c) 2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# Migrate keystone IDs during rehoming a subcloud
#
import psycopg2
import sys
from psycopg2.extras import RealDictCursor
def get_keystone_local_user_id(user_name, cur):
""" Get a keystone local user id by name"""
cur.execute("SELECT user_id FROM local_user WHERE name='%s'" %
user_name)
user_id = cur.fetchone()
if user_id is not None:
return user_id['user_id']
else:
return user_id
def get_keystone_local_user_record(user_name, cur):
""" Get a keystone local user record by name"""
cur.execute("SELECT public.user.* FROM public.user INNER JOIN public.local_user \
ON public.user.id=public.local_user.user_id \
WHERE public.local_user.name='%s'" % user_name)
user_record = cur.fetchone()
return user_record
def get_keystone_project_id(project_name, cur):
""" Get a keystone project id by name"""
cur.execute("SELECT id FROM public.project WHERE name='%s'" %
project_name)
project_id = cur.fetchone()
if project_id is not None:
return project_id['id']
else:
return project_id
def clean_keystone_non_local_user(user_id, cur):
""" Clean an existing keystone non local user by user id"""
try:
cur.execute("DELETE FROM nonlocal_user WHERE user_id='%s'" % user_id)
cur.execute("DELETE FROM federated_user WHERE user_id='%s'" % user_id)
cur.execute("DELETE FROM public.user WHERE id='%s'" % user_id)
except Exception as ex:
print("Failed to clean the user id: %s" % user_id)
raise ex
def update_keystone_user_id(user_name, user_id):
""" Update the keystone user id"""
conn = psycopg2.connect("dbname='keystone' user='postgres'")
with conn:
with conn.cursor(cursor_factory=RealDictCursor) as cur:
current_user_id = get_keystone_local_user_id(user_name, cur)
if current_user_id != user_id:
try:
clean_keystone_non_local_user(user_id, cur)
local_user_record = get_keystone_local_user_record(user_name, cur)
cur.execute("INSERT INTO public.user (id, extra, enabled, created_at, domain_id) \
VALUES ('%s', '%s', '%s', '%s', '%s')" %
(user_id, local_user_record['extra'], local_user_record['enabled'],
local_user_record['created_at'], local_user_record['domain_id']))
cur.execute("UPDATE public.user_option SET user_id='%s' WHERE user_id='%s'"
% (user_id, local_user_record['id']))
cur.execute("UPDATE public.assignment SET actor_id='%s' from public.local_user \
WHERE public.assignment.actor_id=public.local_user.user_id AND \
public.local_user.name='%s'" % (user_id, user_name))
cur.execute("UPDATE public.local_user SET user_id='%s' \
WHERE public.local_user.name='%s'" % (user_id, user_name))
cur.execute("DELETE FROM public.user WHERE id='%s'" % local_user_record['id'])
except Exception as ex:
print("Failed to update keystone id for user: %s" % user_name)
raise ex
def update_barbican_project_external_id(old_id, new_id):
""" update the project external id in barbican db """
conn = psycopg2.connect("dbname='barbican' user='postgres'")
with conn:
with conn.cursor() as cur:
try:
cur.execute("UPDATE public.projects SET external_id='%s' WHERE \
external_id='%s'" % (new_id, old_id))
except Exception as ex:
raise ex
def update_keystone_project_id(project_name, project_id):
""" Update a keystone project id by name"""
conn = psycopg2.connect("dbname='keystone' user='postgres'")
with conn:
with conn.cursor(cursor_factory=RealDictCursor) as cur:
current_project_id = get_keystone_project_id(project_name, cur)
if current_project_id != project_id:
try:
cur.execute("UPDATE public.assignment SET target_id='%s' FROM public.project \
WHERE public.assignment.target_id=public.project.id AND \
public.project.name='%s'" % (project_id, project_name))
cur.execute("UPDATE public.project SET id='%s' WHERE \
name='%s'" % (project_id, project_name))
except Exception as ex:
print("Failed to update keystone id for project: %s" % project_name)
raise ex
try:
update_barbican_project_external_id(current_project_id, project_id)
except Exception as ex:
print("Failed to update external_id in barbican db for project: %s" % project_name)
raise ex
if __name__ == "__main__":
keystone_name = sys.argv[1]
keystone_id = sys.argv[2]
keystone_type = sys.argv[3]
if keystone_type == 'user':
update_keystone_user_id(keystone_name, keystone_id)
elif keystone_type == 'project':
update_keystone_project_id(keystone_name, keystone_id)

29
playbookconfig/src/playbooks/roles/rehome-subcloud/update-keystone-data/files/validate_keystone_passwords.sh Normal file
View File

@ -0,0 +1,29 @@
#!/bin/bash
#
# Copyright (c) 2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# As the 'openstack user set' command may fail to
# update the passwords, this script validates the password
# from db, to ensure the password is updated in database.
#
USER_NAME=$1
START_TIME=$2
# Search the password creation timestamp in microsecond
create_time_in_db=$(sudo -u postgres psql -c "select password.created_at_int \
from local_user inner join password \
on local_user.id=password.local_user_id \
where local_user.name='"${USER_NAME}"' \
and password.expires_at is null" keystone \
|sed -n 3p)
if [[ $((create_time_in_db/1000000)) -lt $START_TIME ]]; then
echo "Failed to update keystone password."
exit 1
fi
echo "Updated keystone password."
exit 0

29
playbookconfig/src/playbooks/roles/rehome-subcloud/update-keystone-data/tasks/main.yml Normal file
View File

@ -0,0 +1,29 @@
---
#
# Copyright (c) 2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# ROLE DESCRIPTION:
# This role updates the openstack keystone data(Ids, passwords)
# in database, reloads the configurations of related services and
# restarts these services
#
- name: Temporarily disable lockout in keystone
lineinfile:
path: "/etc/keystone/keystone.conf"
regexp: "^{{ item }}"
state: absent
with_items:
- "lockout_failure_attempts"
- "lockout_duration"
- name: Restart keystone service
command: "sm-restart service keystone"
- name: Migrate keystone passwords
import_tasks: migrate_keystone_passwords.yml
- name: Migrate keystone IDs
import_tasks: migrate_keystone_ids.yml

68
playbookconfig/src/playbooks/roles/rehome-subcloud/update-keystone-data/tasks/migrate_keystone_ids.yml Normal file
View File

@ -0,0 +1,68 @@
---
#
# Copyright (c) 2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# SUB-TASKS DESCRIPTION:
# These tasks are to migrate the keystone IDs in keystone DB and hieradata.
#
- name: Migrate keystone user IDs
script: migrate_keystone_ids.py {{ item.name }} {{ item.id }} 'user'
with_items:
- { name: 'admin', id: "{{ system_controller_keystone_admin_user_id }}" }
- { name: 'sysinv', id: "{{ system_controller_keystone_sysinv_user_id }}" }
- { name: 'dcmanager', id: "{{ system_controller_keystone_dcmanager_user_id }}" }
become_user: postgres
no_log: true
- name: Migrate keystone project IDs
script: migrate_keystone_ids.py {{ item.name }} {{ item.id }} 'project'
with_items:
- { name: 'admin', id: "{{ system_controller_keystone_admin_project_id }}" }
- { name: 'services', id: "{{ system_controller_keystone_services_project_id }}" }
become_user: postgres
no_log: true
# The values updated will be applied as puppet manifest after unlock
- name: Write required system controller keystone user and project Ids to static hieradata
lineinfile:
path: "{{ puppet_path }}/{{ software_version }}/hieradata/static.yaml"
regexp: "{{ item.From }}"
line: "{{ item.To }}"
with_items:
- { From: "^keystone::dc_admin_user_id",
To: "keystone::dc_admin_user_id: {{ system_controller_keystone_admin_user_id }}" }
- { From: "^keystone::dc_admin_project_id",
To: "keystone::dc_admin_project_id: {{ system_controller_keystone_admin_project_id }}" }
- { From: "^openstack::keystone::bootstrap::dc_services_project_id",
To: "openstack::keystone::bootstrap::dc_services_project_id:
{{ system_controller_keystone_services_project_id }}" }
- { From: "^platform::sysinv::bootstrap::dc_sysinv_user_id",
To: "platform::sysinv::bootstrap::dc_sysinv_user_id:
{{ system_controller_keystone_sysinv_user_id }}" }
- { From: "^platform::dcmanager::bootstrap::dc_dcmanager_user_id",
To: "platform::dcmanager::bootstrap::dc_dcmanager_user_id:
{{ system_controller_keystone_dcmanager_user_id }}" }
no_log: true
- name: Reload related services
systemd:
name: "{{ item }}"
state: restarted
with_items:
- sm-api
- fminit
- fm-api
- sysinv-agent
- sw-patch-controller
- name: Restart sm managed services
command: "sm-restart service {{ item }}"
with_items:
- lighttpd
- keystone
- sysinv-conductor
- fm-mgr
- barbican-api

148
playbookconfig/src/playbooks/roles/rehome-subcloud/update-keystone-data/tasks/migrate_keystone_passwords.yml Normal file
View File

@ -0,0 +1,148 @@
---
#
# Copyright (c) 2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# SUB-TASKS DESCRIPTION:
# These tasks update keystone passwords in keystone database, secure hieradata,
# relevant service config files as well as service passwords in keyring.
#
- name: Get current time before update password
# TODO(yuxing) The 'openstack user set' may fail to update password in
# keystone database. Further, if we move it in a shell script and invoke the
# script remotely, the ansible will fail to access the remote keystone
# endpoint for authentication. Need to remove this workaround if we can
# address either of these two problems.
shell: START_TIME=$(date +%s); echo $START_TIME
register: current_time_result
- name: Update keystone passwords
# There's special characters in password, wrap the passwords with single quotes
shell: >-
source /etc/platform/openrc;
openstack user set {{ item.name }} --password $'{{ item.password }}';
{{ validate_keystone_passwords_script }} {{ item.name }} {{ current_time_result.stdout }}
with_items:
- { name: 'sysinv', password: "{{ users['sysinv'] }}" }
- { name: 'patching', password: "{{ users['patching'] }}" }
- { name: 'smapi', password: "{{ users['smapi'] }}" }
- { name: 'mtce', password: "{{ users['mtce'] }}" }
- { name: 'dcmanager', password: "{{ users['dcmanager'] }}" }
- { name: 'barbican', password: "{{ users['barbican'] }}" }
register: migrate_keystone_password_result
until: migrate_keystone_password_result.rc == 0
retries: 3
delay: 20
no_log: true
- name: Update services' passwords in hieradata
lineinfile:
path: "/opt/platform/puppet/{{ software_version }}/hieradata/secure_static.yaml"
regexp: "{{ item.From }}"
line: "{{ item.To }}"
with_items:
- { From: "^dcmanager::api::keystone_password",
To: "dcmanager::api::keystone_password: !!python/unicode '{{ users['dcmanager'] }}'" }
- { From: "^dcmanager::keystone::auth::password",
To: "dcmanager::keystone::auth::password: !!python/unicode '{{ users['dcmanager'] }}'" }
- { From: "^dcorch::api_proxy::dcmanager_keystone_password",
To: "dcorch::api_proxy::dcmanager_keystone_password: !!python/unicode '{{ users['dcmanager'] }}'" }
- { From: "^patching::api::keystone_password",
To: "patching::api::keystone_password: !!python/unicode '{{ users['patching'] }}'" }
- { From: "^patching::keystone::auth::password",
To: "patching::keystone::auth::password: !!python/unicode '{{ users['patching'] }}'" }
- { From: "^patching::keystone::authtoken::password",
To: "patching::keystone::authtoken::password: !!python/unicode '{{ users['patching'] }}'" }
- { From: "^platform::mtce::params::auth_pw",
To: "platform::mtce::params::auth_pw: !!python/unicode '{{ users['mtce'] }}'" }
- { From: "^platform::smapi::params::keystone_password",
To: "platform::smapi::params::keystone_password: !!python/unicode '{{ users['smapi'] }}'" }
- { From: "^smapi::auth::auth_password",
To: "smapi::auth::auth_password: !!python/unicode '{{ users['smapi'] }}'" }
- { From: "^smapi::keystone::auth::password",
To: "smapi::keystone::auth::password: !!python/unicode '{{ users['smapi'] }}'" }
- { From: "^smapi::keystone::authtoken::password",
To: "smapi::keystone::authtoken::password: !!python/unicode '{{ users['smapi'] }}'" }
- { From: "^sysinv::api::keystone_password",
To: "sysinv::api::keystone_password: !!python/unicode '{{ users['sysinv'] }}'" }
- { From: "^sysinv::certmon::local_keystone_password",
To: "sysinv::certmon::local_keystone_password: !!python/unicode '{{ users['sysinv'] }}'" }
- { From: "^sysinv::keystone::auth::password",
To: "sysinv::keystone::auth::password: !!python/unicode '{{ users['sysinv'] }}'" }
- { From: "^barbican::keystone::auth::password",
To: "barbican::keystone::auth::password: !!python/unicode '{{ users['barbican'] }}'" }
- { From: "^barbican::keystone::authtoken::password",
To: "barbican::keystone::authtoken::password: !!python/unicode '{{ users['barbican'] }}'" }
no_log: true
- name: Update sysinv config
lineinfile:
path: "{{ item }}"
regexp: "^password="
line: "password={{ users['sysinv'] }}"
with_items:
- /etc/sysinv/sysinv.conf
- /etc/sysinv/cert-mon.conf
- /etc/sysinv/api-paste.ini
no_log: true
- name: Update patching config
lineinfile:
path: "/etc/patching/patching.conf"
regexp: "^password="
line: "password={{ users['patching'] }}"
no_log: true
- name: Update barbican config
lineinfile:
path: "/etc/barbican/barbican.conf"
regexp: "^password="
line: "password={{ users['barbican'] }}"
no_log: true
- name: Temporarily allow write permission for sm-api config
file:
path: "/etc/sm-api/sm-api.conf"
mode: 0640
- name: Update smapi config
lineinfile:
path: "/etc/sm-api/sm-api.conf"
regexp: "^password="
line: "password={{ users['smapi'] }}"
no_log: true
- name: Restore the original permission of sm-api config
file:
path: "/etc/sm-api/sm-api.conf"
mode: 0400
- name: Update mtc config
lineinfile:
path: "/etc/mtc.ini"
regexp: "^keystone_auth_pw"
line: "keystone_auth_pw = {{ users['mtce'] }} ; mtce auth password"
no_log: true
- name: Store service passwords in keyring
vars:
script_content: |
import keyring
import os
os.environ['XDG_DATA_HOME'] = "/opt/platform/.keyring/{{ software_version }}"
keyring.set_password("{{ item.username }}", "services", "{{ item.password }}")
del os.environ['XDG_DATA_HOME']
shell: "{{ script_content }}"
with_items:
- { username: 'sysinv', password: "{{ users['sysinv'] }}" }
- { username: 'patching', password: "{{ users['patching'] }}" }
- { username: 'mtce', password: "{{ users['mtce'] }}" }
- { username: 'smapi', password: "{{ users['smapi'] }}" }
- { username: 'dcmanager', password: "{{ users['dcmanager'] }}" }
- { username: 'barbican', password: "{{ users['barbican'] }}" }
args:
executable: /usr/bin/python
no_log: true

11
playbookconfig/src/playbooks/roles/rehome-subcloud/update-keystone-data/vars/main.yml Normal file
View File

@ -0,0 +1,11 @@
---
#
# Copyright (c) 2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
platform_path: /opt/platform
puppet_path: /opt/platform/puppet
validate_keystone_passwords_script:
"{{ role_path }}/files/validate_keystone_passwords.sh"

22
playbookconfig/src/playbooks/roles/rehome-subcloud/update-network-config/tasks/copy_central_registry_cert.yml Normal file
View File

@ -0,0 +1,22 @@
---
#
# Copyright (c) 2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# SUB-TASKS DESCRIPTION:
# These tasks are to copy the central registry's cert to subcloud
#
- name: Copy the central cloud registry certificate from central cloud to subcloud
copy:
src: "{{ docker_cert_dir }}/registry.local:9001/registry-cert.crt"
dest: "{{ docker_cert_dir }}/registry.central:9001/registry-cert.crt"
mode: preserve
- name: Store the central certificate to the shared filesystem
copy:
src: "{{ docker_cert_dir }}/registry.central:9001/registry-cert.crt"
dest: "{{ config_permdir }}/registry.central/registry-cert.crt"
remote_src: yes
mode: preserve

58
playbookconfig/src/playbooks/roles/rehome-subcloud/update-network-config/tasks/main.yml Normal file
View File

@ -0,0 +1,58 @@
---
#
# Copyright (c) 2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# ROLE DESCRIPTION:
# This role updates the network configuration for rehoming on subcloud
#
- name: Check existing host route in controller-0
# Checking if the static route to the new system controller subnet
# is already configured. If it is already configured, e.g. recovery
# from a disaster that the system controllers are reinstalled, the
# static routes should not be added again.
shell: >-
source /etc/platform/openrc; system host-route-list controller-0 |
awk '/{{ (system_controller_subnet | ipaddr(0)).split('/')[0] }}/'
register: existing_route_controller_0
- name: Add static route from controller-0 to system controller
shell: >-
source /etc/platform/openrc; system host-route-add controller-0
{{ controller_0_management_interface_result.stdout_lines[0] }}
{{ (system_controller_subnet | ipaddr(0)).split('/')[0] }}
{{ system_controller_subnet | ipaddr('prefix') }}
{{ management_gateway_address }}
when: existing_route_controller_0.stdout | length == 0
- block:
- name: Check existing host route in controller-1
shell: >-
source /etc/platform/openrc; system host-route-list controller-1 |
awk '/{{ (system_controller_subnet | ipaddr(0)).split('/')[0] }}/'
register: existing_route_controller_1
- name: Add static route from controller-1 to system controller
shell: >-
source /etc/platform/openrc; system host-route-add controller-1
{{ controller_1_management_interface_result.stdout_lines[0] }}
{{ (system_controller_subnet | ipaddr(0)).split('/')[0] }}
{{ system_controller_subnet | ipaddr('prefix') }}
{{ management_gateway_address }}
when: existing_route_controller_1.stdout | length == 0
when: system_mode != 'simplex'
- name: Update system controller's subnets
import_tasks: update_system_controller_subnet.yml
- name: Modify docker no_proxy if exists
shell: >-
source /etc/platform/openrc; system service-parameter-modify
docker proxy no_proxy={{ docker_no_proxy_combined | join(',') }}
when: existing_docker_no_proxy_result.stdout | length > 0
- name: Copy central registy cert
import_tasks: copy_central_registry_cert.yml

Some files were not shown because too many files have changed in this diff Show More