openstack/openstack-ansible-os_nova - openstack-ansible-os_nova - OpenDev: Free Software Needs Free Tools

Due to the shortcoming of QManager implementation [1], in case of uWSGI
usage on metal hosts, the flow ends up with having the same
hostname/processname set, making services to fight over same file
under SHM.
In order to avoid this, we prepend the hostname with a service_name.
We can not change processname instead, since it will lead to the fight
between different processes of the same service.
[1] https://bugs.launchpad.net/oslo.messaging/+bug/2065922
Change-Id: Ie8c68cad4a89e5fcc43dad53d895d093cb3fe671

<service>-config tags are quite broad and have a long execution
time. Where you only need to modify a service's '.conf' file and
similar it is useful to have a quicker method to do so.
Change-Id: Idf0a0a7033d8f6c4d6efebff456ea3f19ea81185

During last release cycle oslo.messaging has landed [1] series of extremely
useful changes that are designed to implement modern messaging
techniques for rabbitmq quorum queues.
Since these changes are breaking and require queues being re-created,
it makes total sense to align these with migration to quorum queues by default.
Change-Id: Ia5069c9976d07ee3949e637d8eb76a06b380cdec

Update the zed release notes configuration to build from
unmaintained/zed.
Change-Id: Ic2423331f637f6054cc9c138aa6ca48ab3c08d61

In order to be able to globally enable notification reporting for all services,
without an need to have ceilometer deployed or bunch of overrides for each
service, we add `oslomsg_notify_enabled` variable that aims to control
behaviour of enabled notifications.
Presence of ceilometer is still respected by default and being referenced.
Potential usecase are various billing panels that do rely on notifications
but do not require presence of Ceilometer.
Change-Id: Ib5d4f174be922f9b6f5ece35128a604fddb58e59

In order to allow definition of policies per service, we need to add variables
so service roles, that will be passed to openstack.osa.mq_setup.
Currently this can be handled by leveraging group_vars and overriding `oslomsg_rpc_policies` as a whole, but it's not obvious and
can be non-trivial for some groups which are co-locating multiple services
or in case of metal deployments.
Change-Id: I6a4989df2cd53cc50faae120e96aa4480268f42d

This patch proposes to move condition on when to install certificates from
the role include statement to a combined "view" for API and Consoles.
While adding computes to the same logic might be beneficial for CI and
AIO metal deployments, it potentially might have a negative effect for
real deployments, as it will create bunch of Skipped tasks for computes
so we leave them separated.
With that API and Console are usually placed on same hosts, so it makes
sense to distribute certs towards them once but keeping possibility of
different hosts in mind.
Change-Id: I8e28a79a6e3a5be1fe54004ea1d2c3a3ccdc20bc

Add variable nova_cell_force_update to enable deployers to ensure that
role execution will also update cell mappings whenever that is needed.
For instance, it could be password rotation or intention to update MySQL
address.
Change-Id: I5b99d58a5c4d27a363306361544c5d80759483fd

Due to clash in resulting certificate names they were re-genearated each
playbook run.
In order to sort that we need to rename certificate names. As `nova_backend_ssl`
was implemented latest and not that widely adopted, we change name
for it.
This will cause all backend certificates for API to be re-generated.
Change-Id: I4bca3bb2733fe25dad71345f84d9030c535c901b

Once we've enabled TLS requirement in [1] jobs started failing on cell0
mapping as it was actually different and not connecting to MariaDB through
TLS when it was assumed it is.
[1] https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/911009
Change-Id: I96fa921cfdb849f59b5abd8452061d4c5bd04a76

When the nova_device_spec variable is provided as either a string or a
mapping, ensure that it's templated as a JSON string.
Also handle either strings or mappings within nova_device_spec if it's
provided as a list.
Closes-Bug: 2057961
Change-Id: I7041a19547af580408ff704578cb8f12d37da1ae

in cases when non-standard path to nova instances is configured with nova_system_home_folder variable there may be problems with instances spawning due to libvirt virt-aa-helper missing permission in apparmor profile, this commit resolves this
Change-Id: I3d37eb5a9635044570690370dfcbc060ff4d9e49

Instead of evaluating same condition of my_ip in multiple places across
the role this patch suggests doing this once in vars and using the
resulting variable afterwards.
This not only reduce amount of evaluations made throughout the role runtime,
but also solves possible corner cases where some syntax may go off.
Closes-Bug: #2052884
Change-Id: I454b53713ecacf844ac14f77b6d1e1adc1322c0e

In case when ceph is not being used as backend for nova, qemu.conf
file is not distributed, thus some settings, like nova_qemu_vnc_tls do
not have any effect
Closes-Bug: #2003749
Change-Id: I4bc68567cda57d73d030d9a5017cc411f7ee7732

It appears there was a change to remove the list option when
moving from pci_passthrough_whitelist. Instead device_spec
can be specified multiple times in the file.
This patch aims to resolve this whilst maintaining backwards
compatibility.
Change-Id: I12b38e45d7b41fbf4786d3320e511eb9127fe216

In usecases where only cinder is using ceph we currently do not
execute ceph_client role, which makes nodes failing to spawn instances
from RBD volumes.
Sample usecase where Glance might be using Swift and it might be desired to use
local storage for Nova ephemeral drives, but cinder spawning volumes
on Ceph
Currently this can be workarounded with setting `nova_rbd_inuse: True` but
at the same time `nova_libvirt_images_rbd_pool: ''`, though this is
counter-intuitive and this patch aims to improve this.
Change-Id: I412d1e9ccb51f0cd33a98333bfa1a01510867fbe

As of today we do not have any means of Blazar integration with Nova,
while we do provide roles for Blazar installation for a while now. This
patch aims to bring in more native integration and remove necessity
of overrides for such deployment.
Related-Bug: #2048048
Co-Authored-By: Alexey Rusetsky <fenuks@fenuks.ru>
Change-Id: Ica50a5504de1b1604f72123751cbb3f45c85ab46

This is a follow-up change to [1]. Depending on operating system and
environment configuration, default libvirt network may not exist.
Right now, `Check for libvirt default network` task throws an error in
this case causing nova playbook to fail.
This change fixes that by instructing ansible to not throw an error
if `virsh net-list` fails with "Network not found: no network with
matching name" because it is acceptable to not have this network.
[1] https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/899768
Change-Id: If692bc94f421bc84ad9e6d43f548b68196a9e751

Currently, autostart for libvirt default network is disabled only when
this network is active during nova playbook execution.
It's an incorrect behavior because in some cases this network may not be
active from the beginning.
Autostart should be always disabled to ensure that this network will not
be unexpectedly marked as active in the future(during package upgrade,
host reboot etc.).
Closes-Bug: #2042369
Change-Id: I697234bda1601b534ce1b6ab186fa98f83179ee8

Flag --until-complete is not valid for the nova-manage db purge command,
it is working only for archive_deleted_rows [1]. Suposedly it was a
copy/paste mistake to keep the flag in place.
[1] https://docs.openstack.org/nova/latest/cli/nova-manage.html#db-archive-deleted-rows
Change-Id: I7be8c41bd52b955d83c4452e67ef323abe00969e

Nova defaults to using public endpoint for Barbican API which would
require internet access from the compute node so change this to
use the internal API endpoint.
Change-Id: Iaa14a9bf80d2e02197e74d67e812afc518fe1b65

For quite some time, we relate usage of --by-service flag for
nova-manage cell_v2 discover_hosts command to the used nova_virt_type.
However, we run db_post_setup tasks only once and delegating to the
conductor host. With latest changes to the logic, when this task in
included from the playbook level it makes even less sense, since
definition of nova_virt_type for conductor is weird and wrong.
Instead, we attempt to detect if ironic is in use by checking hostvars
of all compute nodes for that. It will include host_vars, group_vars,
all sort of extra variables, etc.
Thus, ironic hosts should be better discovered now with nova-manage
command.
Related-Bug: #2034583
Change-Id: I3deea859a4017ff96919290ba50cb375c0f960ea

We have migrated to usage of ssh_keypairs role a while ago and we
can remove old migration clean-up task.
Change-Id: Ie3cbeb4bd41d3137f2332f28dbc72c8028fb5b3a

Some deployments might want to perform live migrations over dedicated
networks, like fast storage network, while keep management over default
mgmt network.
Current default behaviour will prevent such usecase, since
nova_libvirt_live_migration_inbound_addr is not added to the generated
for libvirtd certificate, and thus live migration will fail.
Also to enable users override default behviour more nicely and reduce
code duplication, new variable ``nova_pki_compute_san`` was introduced,
that handles SAN definition for compute nodes.
Change-Id: I22cc1a20190f0573b0350369a6cea5310ab0f0a7

With transition to ssh-certificates for nova authorization, we no longer
need to generate and have SSH certificates for the nova user.
Change-Id: Iff105bafc177271cb59fb0662d4c139f56e64325

Due to some bugs delegation of tasks from compute to conductor hosts
does not work in real life. Due to that task import was moved to
the playbook level using role import in combination with tasks_from.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/897570
Change-Id: I777b1c90f57c805bc0a8593b5a5c7e63e43c4cd8

Defining barbican_service_user is required for succesfull attachement
of ecnrypted volumes to VMs. Without it being in place nova-compute
fails with not being able to get service_token.
Change-Id: I8ae3e263185b1cd8036a4fde12d9c950f2ce8b98

Change-Id: I0d44b87c2ac31827eeb72c1db3d48e0ca571633a

Change-Id: Ia5afdded2df7ec80b36072dec3c7fbbce5600647

This is a dummy package with almost no content and no dependancies.
It does not exist on debian 12.
Change-Id: Ibb330238e728af257d46812e64a58fc71a424a1f

updating the config for pci devices since the old config is deprecated.
https://docs.openstack.org/nova/latest/configuration/config.html#pci.device_spec
Change-Id: Id2da29464359b4845c7d05e3bec53759341f4bad

This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.
In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/875399
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/873618
Change-Id: I792595dac8b651debcd364cd245145721575a516

The region_name var is missing from the [glance] block in
the nova.conf template, and while a conf override can be used,
all other service blocks have region_name defined and overridable
with service_region.
Change-Id: I28ac078f9ebe24c8799638e93d0967003d0c0605

When Nova is deployed with a mix of x86 and arm systems
(for example), it may be necessary to deploy both 'novnc' and
'serialconsole' proxy services on the same host in order to
service the mixed compute estate.
This patch introduces a list which defines the required proxy
console types.
Change-Id: I93cece8babf35854e5a30938eeb9b25538fb37f6

With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: I730ae569f199fc8542a5a61beb149f459465d7e2

Long time ago a variable `nova_ram_weight_multiplier` was implemented
and its default value was set to 5.0.
There are 2 issues with this:
1. Default value in nova is 1.0 [1] so our value is much bigger than
nova's default without having a strong reason for that.
2. OSA does not provide similar variables for other multipliers like
`cpu_weight_multiplier`.
Because there are a couple of different multipliers and more of them
can be implemented in the future(for ex.
`hypervisor_version_weight_multiplier` was implemented in 2023.2) it
would be hard for the OSA project to maintain variables for all of them.
It is better to deprecate `nova_ram_weight_multiplier` and let users
define multipliers with `nova_nova_conf_overrides` if necessary.
[1] https://docs.openstack.org/nova/2023.1/configuration/config.html#filter_scheduler.ram_weight_multiplier
Change-Id: I4f82840e94312d38696e3ddd05ef494821233f4d

Running nova playbook with tag limit may lead to an error:
The conditional check 'nova_virt_type != 'ironic'' failed. The error
was: error while evaluating conditional (nova_virt_type != 'ironic'):
'nova_virt_type' is undefined\n\nThe error appears to be in
'/etc/ansible/roles/os_nova/tasks/main.yml': line 289, column 3, but
may be elsewhere in the file depending on the exact syntax problem.
It can be easily fixed by applying always tag to tasks from
nova_virt_detect.yml
Change-Id: I56aee80180804b8a3e3316cffc6fa8115513b8f1

CentOS has upgraded their libivrt to version 9.3, where libvirt-daemon
is not installed as a dependency anymore. So we need to explicitly
isntall this package to restore functionality.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2209936
Change-Id: Ic6f2606b5a478c7a891c25bd131ad351a19699bc