In order to reduce divergance with ansible-lint rules, we apply
auto-fixing of violations.
In current patch we replace all kind of truthy variables with
`true` or `false` values to align with recommendations along with
alignment of used quotes.
Change-Id: If512039bae99218e054a8841cb32c3903b616ed7
Configuration of RPC for ironic-inspector was a bit of a mixed
bag, with some config fixed at defaults which are only relevant
for HA queues. This conforms it to the way the majority of
variables are managed.
Note that this changes the default for
ironic_inspector_oslomsg_rpc_use_ssl, but this should be set via
oslomsg_rpc_use_ssl anyway.
This also removes various unused inspector notification defaults.
Change-Id: I7edc658f57de5ffc6d4aa158b02d26fa3ad71c9d
As noted in https://bugs.launchpad.net/ironic/+bug/2074090
the kernel and ramdisk images now need to be uploaded in raw
format due to fixes for underlying CVEs.
Change-Id: I2b74d9ab4d07a4d5b6045d353cf91db70c4e6cb1
See https://review.opendev.org/c/openstack/ironic/+/907148
Ironic enables oslo policy RBAC changes from 2024.1 by default.
Once enabled, in theory system scoped tokens are required for
various actions, but in practice this doesn't necessarily work
when interacting with other services.
New Ironic variables provide the means to continue with a
relatively standard deployment without having to make
far-reaching policy changes.
Change-Id: I2cb53414cce3a899a0db5f74e56798de95c6c4b1
During last release cycle oslo.messaging has landed [1] series of extremely
useful changes that are designed to implement modern messaging
techniques for rabbitmq quorum queues.
Since these changes are breaking and require queues being re-created,
it makes total sense to align these with migration to quorum queues by default.
[1] https://review.opendev.org/q/topic:%22bug-2031497%22
Change-Id: Ia0d7ac84ced77511b82f28e409477e4d1589adb6
In order to be able to globally enable notification reporting for all services,
without an need to have ceilometer deployed or bunch of overrides for each
service, we add `oslomsg_notify_enabled` variable that aims to control
behaviour of enabled notifications.
Presence of ceilometer is still respected by default and being referenced.
Potential usecase are various billing panels that do rely on notifications
but do not require presence of Ceilometer.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/914144
Change-Id: I9efc107116b149b75b2ed8b54335758e57d6dabc
In order to allow definition of policies per service, we need to add variables
to service roles, that will be passed to openstack.osa.mq_setup.
Currently this can be handled by leveraging group_vars and overriding `oslomsg_rpc_policies` as a whole, but it's not obvious and
can be non-trivial for some groups which are co-locating multiple services
or in case of metal deployments.
Change-Id: Ia7bb2a6ddd3ccdf887ca514ff6b03f41fb8af612
This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.
In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/896017
Change-Id: I0f6ae74be36c0cb7a2270cfa1085c44e6dd4dc77
There is no obvious need to have an SSH keypairs for ironic user
I was not able to find any proof in the project installation guide that
such keypairs were ever needed. Thus, such functionality is removed.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/896017
Change-Id: I493d5f5aa0a915e7bc9fb7dbcd2673749c0b95d3
Keystone has stopped providing or reffering `_member_` role for a while,
thus role should not be refferenced anymore.
Moreover, with 2023.1 service policies have dropped `_member_`
which resulted in the role to be insufficient for basic operations.
Change-Id: I3ee97d4b7a3070211dbba3824f9d605da3b8bd01
Related-Bug: #2029486
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: I1ab9664505068c20924370790322caa67cc6e022
By overriding the variable `ironic_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the ironic backend api.
The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: If97a857c36e9e3e7ad8a18926bb9cbf04189c7cb
Enabling this driver type ensures that the no-console, no-raid
and no-inspect interfaces are enabled so that they can be later
configured on a per-node basis if required.
These interfaces are useful to have enabled at the same time as
driver specific interfaces such as idrac or ilo in order so that
managment of specific functions can be disabled if required.
Change-Id: I2904ba005e3fa18faf8ccf04661e206501fa4aa3
This patch adds the `console` field to the ironic_driver_types
variable and then enables a set of console drivers in the ironic
config through the `enabled_console_interfaces` option.
If `ipmitool-socat` is one of the enabled drivers, then the socat
distro package is installed to support that.
Defaults are added for socat bind address and port range to
use.
[1] https://opendev.org/openstack/ironic/src/branch/master/doc/source/admin/upgrade-to-hardware-types.rst
Change-Id: I36dd1a0ec69e5702143a1a26bd5901fc88706e84
Some of these files are already statically defined in the role vars,
but cannot be extended. The new variable ironic_tftp_extra_content
allows either local files (path:) or files from a web server (url:)
to be copied into the tftp server root.
A feature like this is needed to copy EFI firmware to the tftp root
for ironic node CPU architectures that are different to the
ironic control plane nodes. The EFI firmware is sometimes not
available from the system package manager for architechtures
different to the host CPU.
Change-Id: Ie30c009d0704b87c2298088935a7f2ec0d55c6fb
Ironic and inspector are extensible via the stevedore framework.
In order to add extra plugins to the ironic and inspector venvs
extra variables are needed to supply user defined lists of python
packages to install.
Change-Id: I656abb90827486bbb69bf0ccd7e990fd680f2c51
The directory for the tftp server defined consistently between ironic
and inspector, but not for the http directory.
This patch makes the definition of the http directory work the same
way as the tftp one.
Change-Id: I8d893faa31e5858c4923cb12ef453ec9397db5df
It might be needed to supply a list of extra deploy images as
well as the defaults, possibly to cover architectures in
addition to x86.
Change-Id: I2ecf21c44bac75b0e2cbf3bd786821ff0b7bf31a
1) The variable to allow processing hooks to be configured is used
in the ironic-inspector template but not documented in the role defaults.
Add the default and an example of usage.
2) When using LLDP to discover switchport connections during
inspection it is necessary to pass an additional kernel parameter
to the deploy image but there is no variable to allow this to
happen. This patch adds a variable that the deployer can use
to pass arbitrary kernel parameters to the deploy image.
Change-Id: I2f67dfcf4164e009bf53e9324bd430aec4c97dcb
The deploy image is required in two places in an ironic deployment,
first as images uploaded to glance for the ironic service, and second
as files on a web server for the ironic-inspector service.
Previously this role only placed the deploy images on the ironic
inspector web server, but this patch provides the functionality to
also upload the images to glance.
The variables for ironic deploy image source locations are
consolidated so that only one set are required to run the tasks
for both ironic and ironic-inspector, and several overrides are
available allowing the source to be overidden to a local mirror
easily.
Finally - the name of the files placed on the inspector web server
and into glance represent the upstream name of the image files rather
than generic names which lose versioning and release information.
Change-Id: I1aed9d97a4ddbfb70d2375f5204c55374d1067c9
For a simple unrouted network these do not exist, but the role
currently forces bogus values to be given for the dhcpd template.
Allow the values to be unset to reduce confusion.
Change-Id: I609a05c50d1de5668f2b092e3a3ef1015e944fe6
Define the callback URL in the role defaults so it can be specifically
overridden rather than needing to use config_template to override
the entire kernel parameters line in the inspector ipxe config.
Change-Id: Ib8d53b394937405c821687b1c46b2b19112267dd
Ironic has replaced deprecated pxe_append_params config option
with kernel_pxe_params. The ironic.conf template has been changed
accordingly, but support remains for config override
ironic_pxe_append_params.
Change-Id: Icedd2b8f0e81607caba93afd34557bd4c3a88b4d
Currently the ironic role uses ansible_host as the IP to bind these
services to, which means that in an LXC deployment it is not
possible to provision ironic hosts on the bmaas network as
the services are instead bound to the mgmt network.
The code worked previously as it is most likley developed on metal
and the CI job does not actually enrol/provision a node so the
test coverage is very small.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/852174
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/854231
Change-Id: Id544d395f42f4c36a17e9c20a35aeb56a5e3bf03
Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.
Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: I1d70c2c46fef6ffc0fcebe4b56a0ecdedc1d3298
This patchset aims to correct some design limitations with the current
ironic-inspector deploy process.
- a new ironic-inspector-dnsmasq service has been created to split
inspector-specific dnsmasq configuration out of the base dnsmasq
config files
- PXE/iPXE and UEFI support for ironic-inspector boot
- (todo) documentation improvements and diagrams
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/823426
Change-Id: Ib5cbb28f97dd7421bfecb815def89305f3b1da33
The [glance]glance_api_servers configuration option has been deprecated
since Pike and removed in 2019 per Ironic commit
dcfb4f10f31c11afa350ef6418a0e12e6be6e5b2. Removing from ironic.conf
template.
Change-Id: I3b09514635ee0c8665c425bd1fe42fb594361a0e
- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819424
Change-Id: I1c90ce68ce218d538cd89b111dc1ee4142f14eef
With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.
Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.
[1] 78f0cf99e5/pymysql/connections.py (L267)
Change-Id: I79e43119830da22f09d7666b25054c6c14c28ffb
Instead of overriding each service separatelly it might make
sense for deployers to define some higher level variable that
will be used first or fallback to default variable.
Change-Id: Ib2928efaa35bd82f6e6f65fecf32cf8da2eb9f5d
