From 698c281a5914469329ea738e44df306841b6ff64 Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Thu, 2 Nov 2023 07:43:22 +0100 Subject: [PATCH 01/12] Improve neutron images regex Match ML2/OVS agents only when OVN is not enabled. Change-Id: Ia2ba7414202de6750b18ada47e7a5bb0b636e7b3 (cherry picked from commit d9ee59ea1bdf21f50f5798278b5f6c75bf638a04) --- ansible/group_vars/all/kolla | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ansible/group_vars/all/kolla b/ansible/group_vars/all/kolla index 8267d4f72..aac866211 100644 --- a/ansible/group_vars/all/kolla +++ b/ansible/group_vars/all/kolla @@ -201,11 +201,11 @@ overcloud_container_image_regex_map: enabled: "{{ kolla_enable_multipathd | bool }}" - regex: ^murano enabled: "{{ kolla_enable_murano | bool }}" - - regex: neutron-server + - regex: "neutron-\\(server\\|metadata-agent\\)" enabled: "{{ kolla_enable_neutron | bool }}" # Neutron SFC agent not currently supported on CentOS binary builds. - - regex: "neutron-\\(dhcp\\|l3\\|metadata\\|linuxbridge\\|openvswitch\\)-agent" - enabled: "{{ kolla_enable_neutron | bool }}" + - regex: "neutron-\\(dhcp\\|l3\\|linuxbridge\\|openvswitch\\)-agent" + enabled: "{{ kolla_enable_neutron | bool and not kolla_enable_ovn | bool}}" - regex: neutron-mlnx-agent enabled: "{{ kolla_enable_neutron_mlnx | bool }}" - regex: neutron-sriov-agent From 0bb3ad8aac24f4716cbdc9840d4d8e7015f075ad Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Thu, 23 Nov 2023 10:54:46 +0000 Subject: [PATCH 02/12] kolla-bifrost: Add precheck for inspection allocation pool Change-Id: I73fad29af6a57b29afea46947d1ae90546253a2a (cherry picked from commit 1e2ac5eb2829dac3f637c7f6c2e00b1c980b22c3) --- ansible/roles/kolla-bifrost/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ansible/roles/kolla-bifrost/tasks/main.yml b/ansible/roles/kolla-bifrost/tasks/main.yml index ab8f1417b..ad5b6b40d 100644 --- a/ansible/roles/kolla-bifrost/tasks/main.yml +++ b/ansible/roles/kolla-bifrost/tasks/main.yml @@ -1,4 +1,12 @@ --- +- name: Check if inspection allocation is defined + assert: + that: + - kolla_bifrost_dhcp_pool_start | length > 0 + - kolla_bifrost_dhcp_pool_end | length > 0 + - kolla_bifrost_dhcp_pool_mask | length > 0 + fail_msg: "Inspection allocation pool for provisioning network is not properly defined" + - name: Ensure the Kolla Bifrost configuration directories exist file: path: "{{ kolla_node_custom_config_path }}/bifrost" From a14d05d537259e8bc9c8933a931a653b64660206 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Tue, 27 Apr 2021 11:32:49 +0100 Subject: [PATCH 03/12] Honor custom ssh args in kayobe-ansible-user.yml Using the raw module will honor ssh args. The slight change behaviour is that it will print an unreachable message and show an unreachable task in the summary. Change-Id: I371e8a583c439264a88dbc4bdae14c472955a063 (cherry picked from commit ffbd1a7833b69b9dfdd56e5e4ff71e9bad925c8b) --- ansible/kayobe-ansible-user.yml | 13 ++++--------- ...nor-ssh-args-for-bootstrap-ba894df14ba58167.yaml | 13 +++++++++++++ 2 files changed, 17 insertions(+), 9 deletions(-) create mode 100644 releasenotes/notes/honor-ssh-args-for-bootstrap-ba894df14ba58167.yaml diff --git a/ansible/kayobe-ansible-user.yml b/ansible/kayobe-ansible-user.yml index 6d081baf6..4568ab01a 100644 --- a/ansible/kayobe-ansible-user.yml +++ b/ansible/kayobe-ansible-user.yml @@ -13,20 +13,15 @@ - kayobe-ansible-user tasks: - name: Check whether the host is accessible via SSH - local_action: - module: command ssh -o BatchMode=yes -p {{ ssh_port }} {{ ssh_user }}@{{ ssh_host }} hostname - failed_when: false + raw: hostname + ignore_unreachable: true changed_when: false check_mode: no register: ssh_result - vars: - ssh_user: "{{ ansible_user }}" - ssh_host: "{{ ansible_host | default(inventory_hostname) }}" - ssh_port: "{{ ansible_ssh_port | default('22') }}" - name: Group hosts requiring kayobe user bootstrapping group_by: - key: kayobe_user_bootstrap_required_{{ ssh_result.rc != 0 }} + key: kayobe_user_bootstrap_required_{{ ssh_result.unreachable | default(false) }} changed_when: false - name: Display a message when bootstrapping is required @@ -34,7 +29,7 @@ msg: > Cannot access host via SSH using Kayobe Ansible user account - attempting bootstrap - when: ssh_result.rc != 0 + when: ssh_result.unreachable | default(false) - name: Ensure python is installed hosts: kayobe_user_bootstrap_required_True diff --git a/releasenotes/notes/honor-ssh-args-for-bootstrap-ba894df14ba58167.yaml b/releasenotes/notes/honor-ssh-args-for-bootstrap-ba894df14ba58167.yaml new file mode 100644 index 000000000..527d9a178 --- /dev/null +++ b/releasenotes/notes/honor-ssh-args-for-bootstrap-ba894df14ba58167.yaml @@ -0,0 +1,13 @@ +--- +fixes: + - | + When determining whether or not a host needs bootstrapping, we attempt to + connect to the host using ansible_user, if the login fails, we then assume + that the host needs bootstrapping. In previous releases we used a manually + crafted ``ssh`` command. This did respect any customisations to the SSH + arguments made through ansible configuration. We now use the raw module so + that these customisations are used when connecting to the host. One + possible use case is to configure a jump host between the control host and + the target hosts. If bootstrapping was needed, hosts will now show as + unreachable in the summary stats at the end of the run. This can safely be + ignored. From 2711492262c4d31dbe6b336a502665346bce63e7 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Tue, 15 Aug 2023 11:19:41 +0100 Subject: [PATCH 04/12] Fix configuration dump with inline encrypted variables If inline Ansible vault encryption is used to define an encrypted variable in kayobe-config, running 'kayobe configuration dump -l ' fails with the following: Failed to decode config dump YAML file /tmp/tmp_fg1bv_j/localhost.yml: ConstructorError(None, None, "could not determine a constructor for the tag '!vault'", ) This change fixes the error by using the Ansible YAML loader which supports the vault tag. Any vault encrypted variables are sanitised in the dump output. Note that variables in vault encrypted files are not sanitised. Change-Id: I4830500d3c927b0689b6f0bca32c28137916420b Closes-Bug: #2031390 (cherry picked from commit 78702d0e3094e6d6a16a31eaf2517d4e0f25d1c7) --- kayobe/ansible.py | 19 +++++- kayobe/tests/unit/test_ansible.py | 66 ++++++++++++++++++- kayobe/tests/unit/test_utils.py | 54 +++++++++++++++ kayobe/utils.py | 20 +++++- .../config-dump-vault-edc615e475f234ac.yaml | 7 ++ 5 files changed, 162 insertions(+), 4 deletions(-) create mode 100644 releasenotes/notes/config-dump-vault-edc615e475f234ac.yaml diff --git a/kayobe/ansible.py b/kayobe/ansible.py index d8dd80054..312a6cb57 100644 --- a/kayobe/ansible.py +++ b/kayobe/ansible.py @@ -21,6 +21,8 @@ import sys import tempfile +from ansible.parsing.yaml.objects import AnsibleVaultEncryptedUnicode + from kayobe import exception from kayobe import utils from kayobe import vault @@ -257,6 +259,18 @@ def run_playbook(parsed_args, playbook, *args, **kwargs): return run_playbooks(parsed_args, [playbook], *args, **kwargs) +def _sanitise_hostvar(var): + """Sanitise a host variable.""" + if isinstance(var, AnsibleVaultEncryptedUnicode): + return "******" + # Recursively sanitise dicts and lists. + if isinstance(var, dict): + return {k: _sanitise_hostvar(v) for k, v in var.items()} + if isinstance(var, list): + return [_sanitise_hostvar(v) for v in var] + return var + + def config_dump(parsed_args, host=None, hosts=None, var_name=None, facts=None, extra_vars=None, tags=None, verbose_level=None): dump_dir = tempfile.mkdtemp() @@ -282,7 +296,8 @@ def config_dump(parsed_args, host=None, hosts=None, var_name=None, LOG.debug("Found dump file %s", path) inventory_hostname, ext = os.path.splitext(path) if ext == ".yml": - hvars = utils.read_yaml_file(os.path.join(dump_dir, path)) + dump_file = os.path.join(dump_dir, path) + hvars = utils.read_config_dump_yaml_file(dump_file) if host: return hvars else: @@ -290,7 +305,7 @@ def config_dump(parsed_args, host=None, hosts=None, var_name=None, else: LOG.warning("Unexpected extension on config dump file %s", path) - return hostvars + return {k: _sanitise_hostvar(v) for k, v in hostvars.items()} finally: shutil.rmtree(dump_dir) diff --git a/kayobe/tests/unit/test_ansible.py b/kayobe/tests/unit/test_ansible.py index 1f4a13d52..03f3316c5 100644 --- a/kayobe/tests/unit/test_ansible.py +++ b/kayobe/tests/unit/test_ansible.py @@ -402,7 +402,7 @@ def test_run_playbooks_failure(self, mock_validate, mock_vars, mock_run): ansible.run_playbooks, parsed_args, ["command"]) @mock.patch.object(shutil, 'rmtree') - @mock.patch.object(utils, 'read_yaml_file') + @mock.patch.object(utils, 'read_config_dump_yaml_file') @mock.patch.object(os, 'listdir') @mock.patch.object(ansible, 'run_playbook') @mock.patch.object(tempfile, 'mkdtemp') @@ -440,6 +440,70 @@ def test_config_dump(self, mock_mkdtemp, mock_run, mock_listdir, mock_read, mock.call(os.path.join(dump_dir, "host2.yml")), ]) + @mock.patch.object(shutil, 'rmtree') + @mock.patch.object(utils, 'read_file') + @mock.patch.object(os, 'listdir') + @mock.patch.object(ansible, 'run_playbook') + @mock.patch.object(tempfile, 'mkdtemp') + def test_config_dump_vaulted(self, mock_mkdtemp, mock_run, mock_listdir, + mock_read, mock_rmtree): + parser = argparse.ArgumentParser() + parsed_args = parser.parse_args([]) + dump_dir = "/path/to/dump" + mock_mkdtemp.return_value = dump_dir + mock_listdir.return_value = ["host1.yml", "host2.yml"] + config = """--- +key1: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 633230623736383232323862393364323037343430393530316636363961626361393133646437 + 643438663261356433656365646138666133383032376532310a63323432306431303437623637 + 346236316161343635636230613838316566383933313338636237616338326439616536316639 + 6334343462333062363334300a3930313762313463613537626531313230303731343365643766 + 666436333037 +key2: value2 +key3: + - !vault | + $ANSIBLE_VAULT;1.1;AES256 + 633230623736383232323862393364323037343430393530316636363961626361393133646437 + 643438663261356433656365646138666133383032376532310a63323432306431303437623637 + 346236316161343635636230613838316566383933313338636237616338326439616536316639 + 6334343462333062363334300a3930313762313463613537626531313230303731343365643766 + 666436333037 +""" + config_nested = """--- +key1: + key2: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 633230623736383232323862393364323037343430393530316636363961626361393133646437 + 643438663261356433656365646138666133383032376532310a63323432306431303437623637 + 346236316161343635636230613838316566383933313338636237616338326439616536316639 + 6334343462333062363334300a3930313762313463613537626531313230303731343365643766 + 666436333037 +""" + mock_read.side_effect = [config, config_nested] + result = ansible.config_dump(parsed_args) + expected_result = { + "host1": {"key1": "******", "key2": "value2", "key3": ["******"]}, + "host2": {"key1": {"key2": "******"}}, + } + self.assertEqual(result, expected_result) + dump_config_path = utils.get_data_files_path( + "ansible", "dump-config.yml") + mock_run.assert_called_once_with(parsed_args, + dump_config_path, + extra_vars={ + "dump_path": dump_dir, + }, + check_output=True, tags=None, + verbose_level=None, check=False, + list_tasks=False, diff=False) + mock_rmtree.assert_called_once_with(dump_dir) + mock_listdir.assert_any_call(dump_dir) + mock_read.assert_has_calls([ + mock.call(os.path.join(dump_dir, "host1.yml")), + mock.call(os.path.join(dump_dir, "host2.yml")), + ]) + @mock.patch.object(utils, 'galaxy_role_install', autospec=True) @mock.patch.object(utils, 'is_readable_file', autospec=True) @mock.patch.object(os, 'makedirs', autospec=True) diff --git a/kayobe/tests/unit/test_utils.py b/kayobe/tests/unit/test_utils.py index e1b4e2b02..c784cdad3 100644 --- a/kayobe/tests/unit/test_utils.py +++ b/kayobe/tests/unit/test_utils.py @@ -17,6 +17,7 @@ import unittest from unittest import mock +from ansible.parsing.yaml.objects import AnsibleVaultEncryptedUnicode import yaml from kayobe import exception @@ -125,6 +126,59 @@ def test_read_yaml_file_not_yaml(self, mock_read): mock_read.return_value = "[1{!" self.assertRaises(SystemExit, utils.read_yaml_file, "/path/to/file") + @mock.patch.object(utils, "read_file") + def test_read_config_dump_yaml_file(self, mock_read): + config = """--- +key1: value1 +key2: value2 +""" + mock_read.return_value = config + result = utils.read_config_dump_yaml_file("/path/to/file") + self.assertEqual(result, {"key1": "value1", "key2": "value2"}) + mock_read.assert_called_once_with("/path/to/file") + + @mock.patch.object(utils, "read_file") + def test_read_config_dump_yaml_file_vaulted(self, mock_read): + config = """--- +key1: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 633230623736383232323862393364323037343430393530316636363961626361393133646437 + 643438663261356433656365646138666133383032376532310a63323432306431303437623637 + 346236316161343635636230613838316566383933313338636237616338326439616536316639 + 6334343462333062363334300a3930313762313463613537626531313230303731343365643766 + 666436333037 +key2: value2 +key3: + - !vault | + $ANSIBLE_VAULT;1.1;AES256 + 633230623736383232323862393364323037343430393530316636363961626361393133646437 + 643438663261356433656365646138666133383032376532310a63323432306431303437623637 + 346236316161343635636230613838316566383933313338636237616338326439616536316639 + 6334343462333062363334300a3930313762313463613537626531313230303731343365643766 + 666436333037 +""" + mock_read.return_value = config + result = utils.read_config_dump_yaml_file("/path/to/file") + # Can't read the value without an encryption key, so just check type. + self.assertTrue(isinstance(result["key1"], + AnsibleVaultEncryptedUnicode)) + self.assertEqual(result["key2"], "value2") + self.assertTrue(isinstance(result["key3"][0], + AnsibleVaultEncryptedUnicode)) + mock_read.assert_called_once_with("/path/to/file") + + @mock.patch.object(utils, "read_file") + def test_read_config_dump_yaml_file_open_failure(self, mock_read): + mock_read.side_effect = IOError + self.assertRaises(SystemExit, utils.read_config_dump_yaml_file, + "/path/to/file") + + @mock.patch.object(utils, "read_file") + def test_read_config_dump_yaml_file_not_yaml(self, mock_read): + mock_read.return_value = "[1{!" + self.assertRaises(SystemExit, utils.read_config_dump_yaml_file, + "/path/to/file") + @mock.patch.object(subprocess, "check_call") def test_run_command(self, mock_call): output = utils.run_command(["command", "to", "run"]) diff --git a/kayobe/utils.py b/kayobe/utils.py index 6ccc4b6e9..b51e0f98a 100644 --- a/kayobe/utils.py +++ b/kayobe/utils.py @@ -25,6 +25,7 @@ import subprocess import sys +from ansible.parsing.yaml.loader import AnsibleLoader import yaml from kayobe import exception @@ -154,11 +155,28 @@ def read_yaml_file(path): try: content = read_file(path) except IOError as e: - print("Failed to open config dump file %s: %s" % + print("Failed to open YAML file %s: %s" % (path, repr(e))) sys.exit(1) try: return yaml.safe_load(content) + except yaml.YAMLError as e: + print("Failed to decode YAML file %s: %s" % + (path, repr(e))) + sys.exit(1) + + +def read_config_dump_yaml_file(path): + """Read and decode a configuration dump YAML file.""" + try: + content = read_file(path) + except IOError as e: + print("Failed to open config dump file %s: %s" % + (path, repr(e))) + sys.exit(1) + try: + # AnsibleLoader supports loading vault encrypted variables. + return AnsibleLoader(content).get_single_data() except yaml.YAMLError as e: print("Failed to decode config dump YAML file %s: %s" % (path, repr(e))) diff --git a/releasenotes/notes/config-dump-vault-edc615e475f234ac.yaml b/releasenotes/notes/config-dump-vault-edc615e475f234ac.yaml new file mode 100644 index 000000000..f8e6a2fc7 --- /dev/null +++ b/releasenotes/notes/config-dump-vault-edc615e475f234ac.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + Fixes an issue where ``kayobe configuration dump`` would fail when + variables are encrypted using Ansible Vault. Encrypted variables are now + sanitised in the dump output. `LP#2031390 + `__ From b2dd82da0ec29cb3e1ee6a0277cb0994f149c81c Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 1 Dec 2023 23:29:26 +0100 Subject: [PATCH 05/12] Use latest published CentOS Stream 8 image The image from 20220913 has been removed from cloud.centos.org. Change-Id: I8db8414987b9ae85f794d09f5eadff80b41a9c57 --- ansible/group_vars/all/infra-vms | 4 ++-- ansible/group_vars/all/seed-vm | 4 ++-- etc/kayobe/infra-vms.yml | 2 +- etc/kayobe/seed-vm.yml | 2 +- .../update-centos-cloud-image-latest-b967c585a23d1615.yaml | 5 +++++ 5 files changed, 11 insertions(+), 6 deletions(-) create mode 100644 releasenotes/notes/update-centos-cloud-image-latest-b967c585a23d1615.yaml diff --git a/ansible/group_vars/all/infra-vms b/ansible/group_vars/all/infra-vms index da4d6e537..0cdcbbd1c 100644 --- a/ansible/group_vars/all/infra-vms +++ b/ansible/group_vars/all/infra-vms @@ -48,7 +48,7 @@ infra_vm_root_format: qcow2 # or # https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2 # when os_distribution is "rocky" and os_release is "9" -# "https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-20220913.0.x86_64.qcow2" +# "https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-latest.x86_64.qcow2" # otherwise. infra_vm_root_image: >- {%- if os_distribution == 'ubuntu' %} @@ -58,7 +58,7 @@ infra_vm_root_image: >- {%- elif os_distribution == 'rocky' and os_release == '9' %} https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2 {%- else -%} - https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-20220913.0.x86_64.qcow2 + https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-latest.x86_64.qcow2 {%- endif %} # Capacity of the infra VM data volume. diff --git a/ansible/group_vars/all/seed-vm b/ansible/group_vars/all/seed-vm index 6e5d3395c..81f5b6500 100644 --- a/ansible/group_vars/all/seed-vm +++ b/ansible/group_vars/all/seed-vm @@ -48,7 +48,7 @@ seed_vm_root_format: qcow2 # or # https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2 # when os_distribution is "rocky" and os_release is "9" -# "https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-20220913.0.x86_64.qcow2" +# "https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-latest.x86_64.qcow2" # otherwise. seed_vm_root_image: >- {%- if os_distribution == 'ubuntu' %} @@ -58,7 +58,7 @@ seed_vm_root_image: >- {%- elif os_distribution == 'rocky' and os_release == '9' %} https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2 {%- else -%} - https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-20220913.0.x86_64.qcow2 + https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-latest.x86_64.qcow2 {%- endif %} # Capacity of the seed VM data volume. diff --git a/etc/kayobe/infra-vms.yml b/etc/kayobe/infra-vms.yml index c6efae735..069c0877c 100644 --- a/etc/kayobe/infra-vms.yml +++ b/etc/kayobe/infra-vms.yml @@ -37,7 +37,7 @@ # or # https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2 # when os_distribution is "rocky" and os_release is "9" -# "https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-20220913.0.x86_64.qcow2" +# "https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-latest.x86_64.qcow2" # otherwise. #infra_vm_root_image: diff --git a/etc/kayobe/seed-vm.yml b/etc/kayobe/seed-vm.yml index 5209b1b38..24122b033 100644 --- a/etc/kayobe/seed-vm.yml +++ b/etc/kayobe/seed-vm.yml @@ -31,7 +31,7 @@ # or # https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2 # when os_distribution is "rocky" and os_release is "9" -# "https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-20220913.0.x86_64.qcow2" +# "https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-latest.x86_64.qcow2" # otherwise. #seed_vm_root_image: diff --git a/releasenotes/notes/update-centos-cloud-image-latest-b967c585a23d1615.yaml b/releasenotes/notes/update-centos-cloud-image-latest-b967c585a23d1615.yaml new file mode 100644 index 000000000..60315e74c --- /dev/null +++ b/releasenotes/notes/update-centos-cloud-image-latest-b967c585a23d1615.yaml @@ -0,0 +1,5 @@ +--- +update: + - | + Updates base CentOS Stream 8 cloud image to + CentOS-Stream-GenericCloud-8-latest.x86_64. From 17f6b8661b9ac011f925a849522f927aad1f9ea8 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Tue, 28 Nov 2023 13:21:53 +0000 Subject: [PATCH 06/12] CI: Run configuration dump against localhost Since using the to_bool function in more places in I3a5a43fef9c3d68d0db02be12b9f892c437e513d, we are now more strict about the result of the variable dump. If there are no controllers in the inventory, the result will not be a valid boolean and the to_bool function will exit non-zero. This change fixes the issue by running against localhost, which should always be in the inventory. Change-Id: Idcfd9d335f11f6c4d676033128d207f62b363ee9 (cherry picked from commit 0f1f009a853cdb6571059a43f33e81f3134d5f4a) --- dev/functions | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dev/functions b/dev/functions index 78379c101..241d07c00 100644 --- a/dev/functions +++ b/dev/functions @@ -232,22 +232,22 @@ function upgrade_kayobe_venv { # Deployment function is_deploy_image_built_locally { - ipa_build_images=$(kayobe configuration dump --host controllers[0] --var-name ipa_build_images) + ipa_build_images=$(kayobe configuration dump --host localhost --var-name ipa_build_images) to_bool "$ipa_build_images" } function is_ironic_enabled { - ironic_enabled=$(kayobe configuration dump --host controllers[0] --var-name kolla_enable_ironic) + ironic_enabled=$(kayobe configuration dump --host localhost --var-name kolla_enable_ironic) to_bool "$ironic_enabled" } function is_overcloud_host_image_built_by_dib { - overcloud_dib_build_host_images=$(kayobe configuration dump --host controllers[0] --var-name overcloud_dib_build_host_images) + overcloud_dib_build_host_images=$(kayobe configuration dump --host localhost --var-name overcloud_dib_build_host_images) to_bool "$overcloud_dib_build_host_images" } function is_cinder_enabled { - flag="$(run_kayobe configuration dump --host controllers[0] --var-name kolla_enable_cinder)" + flag="$(run_kayobe configuration dump --host localhost --var-name kolla_enable_cinder)" to_bool "$flag" } From 2e309ef0469fd317534ed7ef34a228298a05fe18 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 1 Dec 2023 13:02:19 +0100 Subject: [PATCH 07/12] Remove kolla_enable_host_ntp variable This variable was configuring enable_host_ntp in kolla-ansible, which was removed in the Xena release. Change-Id: I737598d3bbe40b933b4b727eccc3b2a76ed97cdb (cherry picked from commit 8da5472ea84729334b4911080b00cf8929f3111e) --- ansible/kolla-ansible.yml | 1 - ansible/roles/kolla-ansible/defaults/main.yml | 6 ------ ansible/roles/kolla-ansible/templates/kolla/globals.yml | 4 ---- 3 files changed, 11 deletions(-) diff --git a/ansible/kolla-ansible.yml b/ansible/kolla-ansible.yml index a469e474d..f3f96320e 100644 --- a/ansible/kolla-ansible.yml +++ b/ansible/kolla-ansible.yml @@ -104,7 +104,6 @@ kolla_inspector_default_gateway: "{{ inspection_net_name | net_inspection_gateway or inspection_net_name | net_gateway }}" kolla_inspector_extra_kernel_options: "{{ inspector_extra_kernel_options }}" kolla_libvirt_tls: "{{ compute_libvirt_enable_tls | bool }}" - kolla_enable_host_ntp: false docker_daemon_mtu: "{{ public_net_name | net_mtu | default }}" kolla_globals_paths_extra: - "{{ kayobe_config_path }}" diff --git a/ansible/roles/kolla-ansible/defaults/main.yml b/ansible/roles/kolla-ansible/defaults/main.yml index fddca5eaf..ca30bae94 100644 --- a/ansible/roles/kolla-ansible/defaults/main.yml +++ b/ansible/roles/kolla-ansible/defaults/main.yml @@ -284,12 +284,6 @@ kolla_internal_tls_cert: # Desired SELinux state. kolla_selinux_state: -############################################################################### -# NTP - -# Whether to enable the NTP daemon. -kolla_enable_host_ntp: - ############################################################################### # Docker configuration. diff --git a/ansible/roles/kolla-ansible/templates/kolla/globals.yml b/ansible/roles/kolla-ansible/templates/kolla/globals.yml index 58f8288ef..d2d67e879 100644 --- a/ansible/roles/kolla-ansible/templates/kolla/globals.yml +++ b/ansible/roles/kolla-ansible/templates/kolla/globals.yml @@ -554,10 +554,6 @@ grafana_admin_username: "{{ grafana_local_admin_user_name }}" selinux_state: {{ kolla_selinux_state }} {% endif %} -{% if kolla_enable_host_ntp is not none %} -enable_host_ntp: {{ kolla_enable_host_ntp | bool }} -{% endif %} - # Kayobe performs creation of the Kolla Ansible user account, so there is no # need for Kolla Ansible to repeat this. create_kolla_user: false From afd9dec5f7dc28828162cfda84d40c95cf54723d Mon Sep 17 00:00:00 2001 From: Maksim Malchuk Date: Sun, 3 Dec 2023 22:04:27 +0300 Subject: [PATCH 08/12] docs: the page 'Editable installs' has moved Change-Id: I57fe9a6a5037adc341617bd35d3df83c81acc5b0 Signed-off-by: Maksim Malchuk (cherry picked from commit 46bba8eb27d9a601bf74e7367f4f20ef769e1cb7) --- doc/source/installation.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/installation.rst b/doc/source/installation.rst index fcb260016..a3082e9ae 100644 --- a/doc/source/installation.rst +++ b/doc/source/installation.rst @@ -160,7 +160,7 @@ Editable source installation ---------------------------- From Kayobe 5.0.0 onwards it is possible to create an `editable install -`__ +`__ of Kayobe. In an editable install, any changes to the Kayobe source tree will immediately be visible when running any Kayobe commands. To create an editable install, add the ``-e`` flag:: From 192e08da52a2c390806dd7fa67d32a8ca9fb1755 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 9 Jun 2022 15:31:22 +0100 Subject: [PATCH 09/12] docs: add information about enabling TLS to automated guide It only covers the internal API VIP, since we don't have a separate external API in the development environment. Change-Id: I28f2b43ddb8bad6097e690e766f0348b1b8a296b (cherry picked from commit 804c1cb669756abd512477263269def90ba3e077) --- doc/source/contributor/automated.rst | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/doc/source/contributor/automated.rst b/doc/source/contributor/automated.rst index c0e7cc657..4383f0556 100644 --- a/doc/source/contributor/automated.rst +++ b/doc/source/contributor/automated.rst @@ -81,6 +81,30 @@ This can be added using the following commands:: sudo ip l set eth1 up sudo ip l set eth1 master breth1 +Configuration +------------- + +Enable TLS +^^^^^^^^^^ + +Apply the following configuration if you wish to enable TLS for the OpenStack +API: + +Set the following option in ``config/src/kayobe-config/etc/kayobe/kolla.yml``: + +.. code-block:: yaml + + kolla_enable_tls_internal: "yes" + +Set the following options in +``config/src/kayobe-config/etc/kayobe/kolla/globals.yml``: + +.. code-block:: yaml + + kolla_copy_ca_into_containers: "yes" + openstack_cacert: "{% if os_distribution == 'ubuntu' %}/etc/ssl/certs/ca-certificates.crt{% else %}/etc/pki/tls/certs/ca-bundle.crt{% endif %}" + kolla_admin_openrc_cacert: "{% if os_distribution == 'ubuntu' %}/etc/ssl/certs/ca-certificates.crt{% else %}/etc/pki/tls/certs/ca-bundle.crt{% endif %}" + Usage ----- @@ -101,6 +125,10 @@ its dependencies in a Python virtual environment:: changes will not been seen until you reinstall the package. To do this you can run ``./dev/install.sh``. +If you are using TLS and wish to generate self-signed certificates:: + + export KAYOBE_OVERCLOUD_GENERATE_CERTIFICATES=1 + Run the ``dev/overcloud-deploy.sh`` script to deploy the OpenStack control plane:: From 1c45e8b109a00b55275b8cdfd28118df5cdbf807 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 7 Dec 2023 15:01:56 +0100 Subject: [PATCH 10/12] Sync Kolla Ansible feature flags for stable/yoga Change-Id: I42192ff8c2f251855a11bc5306e402707f851325 --- ansible/roles/kolla-ansible/vars/main.yml | 6 ++++++ etc/kayobe/kolla.yml | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/ansible/roles/kolla-ansible/vars/main.yml b/ansible/roles/kolla-ansible/vars/main.yml index 043f32124..73a8e1344 100644 --- a/ansible/roles/kolla-ansible/vars/main.yml +++ b/ansible/roles/kolla-ansible/vars/main.yml @@ -108,6 +108,7 @@ kolla_feature_flags: - gnocchi - gnocchi_statsd - grafana + - grafana_external - hacluster - haproxy - haproxy_memcached @@ -147,6 +148,7 @@ kolla_feature_flags: - keystone_federation - keystone_horizon_policy_file - kibana + - kibana_external - kuryr - loadbalancer - magnum @@ -159,6 +161,8 @@ kolla_feature_flags: - mariabackup - mariadb - masakari + - masakari_hostmonitor + - masakari_instancemonitor - memcached - mistral - monasca @@ -201,6 +205,7 @@ kolla_feature_flags: - placement - prometheus - prometheus_alertmanager + - prometheus_alertmanager_external - prometheus_blackbox_exporter - prometheus_cadvisor - prometheus_ceph_mgr_exporter @@ -210,6 +215,7 @@ kolla_feature_flags: - prometheus_haproxy_exporter - prometheus_libvirt_exporter - prometheus_memcached_exporter + - prometheus_msteams - prometheus_mysqld_exporter - prometheus_node_exporter - prometheus_openstack_exporter diff --git a/etc/kayobe/kolla.yml b/etc/kayobe/kolla.yml index 94a6e9f29..1734696ea 100644 --- a/etc/kayobe/kolla.yml +++ b/etc/kayobe/kolla.yml @@ -299,6 +299,7 @@ #kolla_enable_gnocchi: #kolla_enable_gnocchi_statsd: #kolla_enable_grafana: +#kolla_enable_grafana_external: #kolla_enable_hacluster: #kolla_enable_haproxy: #kolla_enable_haproxy_memcached: @@ -338,6 +339,7 @@ #kolla_enable_keystone_federation: #kolla_enable_keystone_horizon_policy_file: #kolla_enable_kibana: +#kolla_enable_kibana_external: #kolla_enable_kuryr: #kolla_enable_loadbalancer: #kolla_enable_magnum: @@ -350,6 +352,8 @@ #kolla_enable_mariabackup: #kolla_enable_mariadb: #kolla_enable_masakari: +#kolla_enable_masakari_hostmonitor: +#kolla_enable_masakari_instancemonitor: #kolla_enable_memcached: #kolla_enable_mistral: #kolla_enable_monasca: @@ -392,6 +396,7 @@ #kolla_enable_placement: #kolla_enable_prometheus: #kolla_enable_prometheus_alertmanager: +#kolla_enable_prometheus_alertmanager_external: #kolla_enable_prometheus_blackbox_exporter: #kolla_enable_prometheus_cadvisor: #kolla_enable_prometheus_ceph_mgr_exporter: @@ -401,6 +406,7 @@ #kolla_enable_prometheus_haproxy_exporter: #kolla_enable_prometheus_libvirt_exporter: #kolla_enable_prometheus_memcached_exporter: +#kolla_enable_prometheus_msteams: #kolla_enable_prometheus_mysqld_exporter: #kolla_enable_prometheus_node_exporter: #kolla_enable_prometheus_openstack_exporter: From aa7f7f365f7008085a2b90d6c74e9fcd41e69345 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 7 Dec 2023 21:06:15 +0100 Subject: [PATCH 11/12] Clean up release notes This is a partial cherry-pick since only some changes were backported. Change-Id: I96f00721c173cf095463424c0ca8779c54943591 (cherry picked from commit 99d03686936dd1378e0d50289dd0ab8f0badcd8d) (cherry picked from commit 5bff84f80fb51c43fe0821e23d49741b849485f8) (cherry picked from commit eb8ff22f6bfffa03e505c6cee57e89a0f741eded) --- ...or-ssh-args-for-bootstrap-ba894df14ba58167.yaml | 14 +++++++------- ...kolla-passwords-overrides-065fd6bb8eb9689d.yaml | 8 ++++---- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/releasenotes/notes/honor-ssh-args-for-bootstrap-ba894df14ba58167.yaml b/releasenotes/notes/honor-ssh-args-for-bootstrap-ba894df14ba58167.yaml index 527d9a178..434408642 100644 --- a/releasenotes/notes/honor-ssh-args-for-bootstrap-ba894df14ba58167.yaml +++ b/releasenotes/notes/honor-ssh-args-for-bootstrap-ba894df14ba58167.yaml @@ -2,12 +2,12 @@ fixes: - | When determining whether or not a host needs bootstrapping, we attempt to - connect to the host using ansible_user, if the login fails, we then assume - that the host needs bootstrapping. In previous releases we used a manually - crafted ``ssh`` command. This did respect any customisations to the SSH - arguments made through ansible configuration. We now use the raw module so - that these customisations are used when connecting to the host. One - possible use case is to configure a jump host between the control host and - the target hosts. If bootstrapping was needed, hosts will now show as + connect to the host using ``ansible_user``, if the login fails, we then + assume that the host needs bootstrapping. In previous releases we used a + manually crafted ``ssh`` command. This did not respect any customisations + to the SSH arguments made through Ansible configuration. We now use the raw + module so that these customisations are used when connecting to the host. + One possible use case is to configure a jump host between the control host + and the target hosts. If bootstrapping was needed, hosts will now show as unreachable in the summary stats at the end of the run. This can safely be ignored. diff --git a/releasenotes/notes/kolla-passwords-overrides-065fd6bb8eb9689d.yaml b/releasenotes/notes/kolla-passwords-overrides-065fd6bb8eb9689d.yaml index adc5318e7..e66f05799 100644 --- a/releasenotes/notes/kolla-passwords-overrides-065fd6bb8eb9689d.yaml +++ b/releasenotes/notes/kolla-passwords-overrides-065fd6bb8eb9689d.yaml @@ -6,9 +6,9 @@ fixes: ``kolla_ansible_default_custom_passwords`` and own dictionary with custom passwords in configuration files. Now ``kolla_ansible_extra_custom_passwords`` should provide only user custom - passwords to add or override in the passwords.yml. + passwords to add or override in ``kolla/passwords.yml``. upgrade: - | - Now no need to combine ``kolla_ansible_default_custom_passwords`` and - ``kolla_ansible_custom_passwords`` in your custom configuration. Just use - ``kolla_ansible_extra_custom_passwords`` to add or override passwords. + Introduces a new variable ``kolla_ansible_extra_custom_passwords`` to avoid + the need to combine ``kolla_ansible_default_custom_passwords`` and + ``kolla_ansible_custom_passwords`` when adding or overriding passwords. From 2c625dd590e0b0a1cdcfe0ec6b34dfc147b6b7c6 Mon Sep 17 00:00:00 2001 From: Stig Telfer Date: Tue, 28 Nov 2023 21:55:32 +0000 Subject: [PATCH 12/12] Fix gateway assignment when seed SNAT is disabled Fix a logic issue when seed SNAT is not enabled. In this circumstance Bifrost was generating ConfigDrive data with the default gateway unset even when one is available on the admin network. This regression was introduced in Ib847d3420dee374cec067cd8af519b510be04120 [1]. [1] https://review.opendev.org/c/openstack/kayobe/+/898434 Closes-Bug: #2045926 Change-Id: Ifd9f9cd389ac09448fc91dba74f8f09595698b55 (cherry picked from commit 49f91043c6c3b0549a8625baba1e6e218eb69160) --- ansible/kolla-bifrost-hostvars.yml | 2 +- .../notes/fix-bifrost-gateway-b4bc8a0396dfa935.yaml | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/fix-bifrost-gateway-b4bc8a0396dfa935.yaml diff --git a/ansible/kolla-bifrost-hostvars.yml b/ansible/kolla-bifrost-hostvars.yml index c74a4f88b..a916c6f88 100644 --- a/ansible/kolla-bifrost-hostvars.yml +++ b/ansible/kolla-bifrost-hostvars.yml @@ -22,7 +22,7 @@ # If the admin network does not have a gateway defined and seed SNAT is # enabled, use the seed as a gateway to allow external access until other # networks have been configured. Otherwise, do not set any gateway. - ipv4_gateway: "{{ admin_oc_net_name | net_gateway or admin_oc_net_name | net_ip(seed_host) if seed_enable_snat | bool }}" + ipv4_gateway: "{{ (admin_oc_net_name | net_gateway) or (admin_oc_net_name | net_ip(seed_host) if seed_enable_snat | bool) }}" ipv4_nameserver: "{{ resolv_nameservers }}" network_mtu: "{{ admin_oc_net_name | net_mtu or '1500' }}" vlan_id: "{{ '' if admin_oc_net_name == provision_oc_net_name else (admin_oc_net_name | net_vlan) }}" diff --git a/releasenotes/notes/fix-bifrost-gateway-b4bc8a0396dfa935.yaml b/releasenotes/notes/fix-bifrost-gateway-b4bc8a0396dfa935.yaml new file mode 100644 index 000000000..b2075e90a --- /dev/null +++ b/releasenotes/notes/fix-bifrost-gateway-b4bc8a0396dfa935.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fixes gateway assignment when seed SNAT is disabled. In this circumstance + Bifrost was generating ConfigDrive data with the default gateway unset even + when one is available on the admin network.