openstack/openstack-ansible-os_nova - openstack-ansible-os_nova - OpenDev: Free Software Needs Free Tools

With update of ansible version having variables in conditions is not
allowed anymore, which results in error like:
`Conditional is marked as unsafe, and cannot be evaluated`
Change-Id: I6e8e0ee1ffc2c154bac0f64f2e797281d7ba966f

in cases when non-standard path to nova instances is configured with nova_system_home_folder variable there may be problems with instances spawning due to libvirt virt-aa-helper missing permission in apparmor profile, this commit resolves this
Change-Id: I3d37eb5a9635044570690370dfcbc060ff4d9e49

In case when ceph is not being used as backend for nova, qemu.conf
file is not distributed, thus some settings, like nova_qemu_vnc_tls do
not have any effect
Closes-Bug: #2003749
Change-Id: I4bc68567cda57d73d030d9a5017cc411f7ee7732

This is a follow-up change to [1]. Depending on operating system and
environment configuration, default libvirt network may not exist.
Right now, `Check for libvirt default network` task throws an error in
this case causing nova playbook to fail.
This change fixes that by instructing ansible to not throw an error
if `virsh net-list` fails with "Network not found: no network with
matching name" because it is acceptable to not have this network.
[1] https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/899768
Change-Id: If692bc94f421bc84ad9e6d43f548b68196a9e751

Currently, autostart for libvirt default network is disabled only when
this network is active during nova playbook execution.
It's an incorrect behavior because in some cases this network may not be
active from the beginning.
Autostart should be always disabled to ensure that this network will not
be unexpectedly marked as active in the future(during package upgrade,
host reboot etc.).
Closes-Bug: #2042369
Change-Id: I697234bda1601b534ce1b6ab186fa98f83179ee8

With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: I730ae569f199fc8542a5a61beb149f459465d7e2

Calico driver support has been removed from OpenStack-Ansible
starting in Antelope release [1]. We clean-up nove role to drop calico
support from it as well.
[1] https://review.opendev.org/c/openstack/openstack-ansible/+/866119
Change-Id: Ie9c118b8bab265e5bf06b6ec05731cd673ee4d95

Centos-9 no longer ships this file so skip adjusting it [1]. The
file should not exist on Centos-9 systems where OSA is used.
If this file is created by a deployer it will potentially
interfere with the operation of libvirt and other configuration
made by openstack-ansible.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2042529
Change-Id: Ieeba7fb803e151a9e6d0adac3d1512aef3785e9a

Change-Id: Ib13d07f4f8c8007be47e5a10a9f63f1e93986876

libvirtd.socket does monitor libvirtd.service and trigger service restart
when it spot that service is down.
However in order to enable tcp and tls sockets, we need libvirt
to be stopped.
Currently race condition can happen, when we stop libvirt, but it's
started by socket before we enable tls one.
To overcome this we stop socket along with service.
Change-Id: Iacc093311036fb8d6559a0e32252579303a639ba

Since all supported distros have libvirt version >= 5.7 there's
no reason to ensure that it is true.
So we remove corresponsive code and simplify logic.
Change-Id: I281829214df8affec7774a45a3ca0405a866b5c0

Change-Id: I5761e63ca609a617abfafe8d870dc4dc0b9c8096

We've created integrated linters check job a while back and it's successfully
working for several releases. At the moment we experience difficulties
with future maintenance of the linters check from the openstack-ansible-tests
repo. So instead of fixing current one, we replace it with modern version of
the test.
Change-Id: Ia1e4677d7e09bd74d57e9b48f606ddc1febf135a

When Nova and/or Cinder are using Ceph as backend, qemu will need
to open a connection and two threads for each and every Ceph OSD.
Since all connections occur in the same qemu process, this may result
in hitting default max open files limit.
Thus in case of more then 10 volumes are attached
to the same instance and are used actively can end up in blocked
IO operations inside VMs.
We increase these limits by default when RBD backend is used.
Change-Id: Ib3081280cdbae1eb2235083c95c27e2efd0b413e

It appears that usage of static imports is not allowed inside dynamicaly
included task. This results in ansible error which hasn't been catched
by CI for some reason.
Currently setup ends up with the following error for LXC deployments [1]
[1] http://paste.openstack.org/show/803922/
Change-Id: Id5081f204e168056c6588d21c71f5cf28afb214d

Tags are working differently with includes vs imports, so we should
respect that and use appropriently.
Change-Id: Iaa029ebb27cec98b51472ce4f127337fb83b8b45

All references to Gentoo, SUSE, Debian stretch and Centos-7 are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible
Change-Id: I4a68549bf85fd322ea344139869916aae3275377

See https://github.com/ansible/ansible/issues/73654
Change-Id: I3cf2a30e0929835a84f0502bc4e87522b688b538

Since libvirt 5.7 we should not use traditional mode. Instead systemd
mode should be choosen. Sockets are provided by libvirt package.
We just need to conditionally enable or disable them.
As addition we changed nova_libvirtd_listen_tls to 0 by default
because listen_tls requires certificate to be provided which is not
the case in the current role state. So we also fix behaviour of the role
when nova_libvirtd_listen_tls is 1, supposing that deployer has manually
distributed certificates across compute hosts.
Change-Id: Id73cb67de26c305908d0245551fa57a7e6448784
Closes-Bug: #1903846 

Change-Id: I140b92dc6ccee3023d2a8965af768bd1c6488c5d

This reverts parts of commit 68d2839e18.
When running the nova playbooks without having "nova_virt_type" set. It
failed with:
"Error when evaluating variable in dynamic parent include path:
 drivers/{{ nova_virt_type }}/nova_compute_{{ nova_virt_type }}.yml.
 When using static imports, the parent dynamic include cannot utilize
 host facts or variables from inventory"
since the above commit. In ansible it's not allowed to call import_tasks
from a playbook which was included via include_tasks using a dynamic
include path. So we're switching back to "include_tasks" for the
affected playbook.
Change-Id: Ia0227886bd2cc59aab6d2861ef4aa9358d160925
Closes-Bug: 1845497

Change-Id: I14cf83e3691d5d39766bd71c4c0b051001fb703a

This driver has been retired [1] and tests are now failing becasue the
nova-lxd repo master branch is now empty.
[1] https://review.opendev.org/#/c/672283/
Change-Id: I9906ede54f6b41972a03bfa1d39ba5f99c6235ed

The PowerVM driver has been untested for a few years as well
as broken due to using the wrong driver as well. It's not possible
to test it within our infrastructure neither has there been any
contributions to improve/fix it.
This patch drops the support for it.
Change-Id: Iea84648c7ff65b5a4d8b97957fb92716578f714d

In order to boot UEFI instances successfully, the OVMF image
must be installed and located at the path that is hardcoded
inside Nova.
This patch takes care of installing the OVMF images and sets
up links to point towards the hardcoded path for operating
systems that don't install at the expected path.
Change-Id: I62f4aa26ffd0d2f3ba4aa19fbdb72578ef0223e4
Closes-Bug: #1825386
Closes-Bug: #1831279 

This patch adds support for this role to be able to deploy on
Debian Stretch.
Change-Id: I1058238e2467cc257ec48ba84fb89995079e9be7
Needed-By: I9a92b73c419a0dc1cca40dacfef75de61a61db94

The variables nova_developer_mode and nova_venv_download
no longer carry any meaning. This review changes nova to
do the equivalent of what developer_mode was all the time,
meaning that it always builds the venv and never requires
the repo server, but it will use a repo server when available.
We also change include_tasks to import_tasks and include_role
to import_role so that the tags in the python_venv_build role
will work.
Change-Id: I1a1ac5948f3bd647eb0ee5e10e9e7ae06b740bb7

Currently on CentOS7, while deploying nova, it gives libvirt
module import error. By adding venv_packages_to_symlink in
nova_source_install will symlink the packages defined in
nova_compute_kvm_packages_to_symlink and fixes the issue.
It removes nova_compute_kvm_install.yml to use python_venv_build
role.
Change-Id: I20a181c6c4901b3cc846a9f665e5def98aac5059

This implements the recommended syntax for searching to get rid of this;
---
[DEPRECATION WARNING]: Using tests as filters is deprecated.
Instead of using `result|search` use `result is search`.
This feature will be removed in version 2.9.
---
Change-Id: Ia8c6b66a4e2c6336e9374da6e3fdd81e17ba2346

This patch aims to provide the ability for the user
to enable nested kvm virtualization in a kvm compute node
through nova_nested_virt_enabled variable, which its defaults is False.
Change-Id: I64417221fb3d74453d979b7198a0e916e7f4dd23

Currently everything is wired in the venv to work on python2.
If the virtualenv was built during repo build with python3, the
linking of the library will fail, as the lib folder for python2
doesn't exist.
This should solve the issue by ensuring the existing lib folder
of the env is used.
A problem arises then: Different distros organise packages
differently, in different locations. This makes the approach
compatible with multi-distros and multiple python versions.
Change-Id: I02b296089d5351d68bb14e87e458a4f5d18a4776

With the more recent versions of ansible, we should now use
"is" instead of the "|" sign for the tests.
This should fix it.
Change-Id: If3e4366c22e900557e4730a7e8838f55ffe30ecc

Distributions provide packages for the OpenStack services so we add
support for using these instead of the pip ones.
Depends-On: https://review.openstack.org/#/c/579151/
Depends-On: https://review.openstack.org/#/c/579071/
Change-Id: Iff373b5402c664206b940b8e95a0b8845050213b
Implements: blueprint openstack-distribution-packages

The libvirt-python library has C bindings which are very particular
about the version of its companion package (libvirt). To ensure
things run smoothly for stable releases, we opt to use the distro
packages for these and symlink the appropriate library files and
binding into the venv.
This approach has been used successfully for the ceph python bindings.
Change-Id: Id962efe16c425424715409f071c4a304f8416001

`/etc/kernel/postinst.d/nova-kernel-permissions.sh` (introduced to fix Bug #1507915) is supposed to make newly installed kernels readable to the nova user, as kernels on an Ubuntu system are otherwise only readable to the root user [0].
This script didn't work for a few reasons:
- It never ran, because scripts in `/etc/kernel/postinst.d` are called by `run-parts`, and run-parts skips any script with a period in the name [1].
- Its shebang was missing its bang
- If installation of the same kernel is installed more than once (e.g. reinstallation), `dpkg-statoverride` (and the whole kernel installation) would exit with error, complaining about an override already existing [2].
Fixed with these changes respectively:
- Renamed script to remove the period
- Fixed typo in shebang
- Added `--force` flag to `dpkg-statoverride`
[0] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/759725
[1] https://bugs.launchpad.net/ubuntu/+source/debianutils/+bug/38022
[2] https://bugs.launchpad.net/openstack-manuals/+bug/1275080
Change-Id: I0e130e3c3ecf2171dbdc0e9a809f8066c30d4bc9
Closes-Bug: 1763479

This removes warnings in Ansible 2.4+.
The patch also removes "static:" arguments which are no longer
used by Ansible.
Change-Id: I6341e694cee527b4bcf46f813c09db9f1bcabb00

All operating systems supported by the role have systemd and these
conditionals are no longer needed.
Change-Id: I35500f7eec993b2bcdb245a995a05cacf2c596f8

By default KSM is enabled on Ubuntu, disabling it specificaly.
Change-Id: I689a851c5268db70e04564386952945fe5612cb0

Change-Id: I6515354a3ceb7f08a647a3e0b93ab06ad24e209c

These tasks should be tagged with 'nova-install' not 'nova-config'.
Closes-Bug: 1695846
Change-Id: I48e5f2adec7b53acc2054841f3f4c0ddad0f2015

This patch adds dnf support for CentOS.
Implements: blueprint centos-and-dnf
Change-Id: I41fbac74c03835c566bd9cac2a0b509caf47d657

Add support for the openSUSE Leap distributions. Similar to CentOS,
we need to modify the libvirt sysconfig file to enable/disable the
TCP/IP listening option. Moreover, we also update the zypper cache
before package installation.
Change-Id: I7b2a39eb38b5bee08c90f5188c53e0e5cf3d7e2e

We specify the full path and are not searching for a generic file, we
should rather use a direct include instead of using "with_first_found".
Additionally, we need the include paths within drivers/virt_type to be
relative rather than absolute - otherwise these files fail to be
included properly.
Change-Id: Ie9bd6d778d134bcba28f19a5e7895ccb8bb26da9

In order to do a developer mode that allows installation of packages
from local file, which take precedence over the developer_mode
constraints, we need to allow the order of the constraints to be changed.
This patch adds a "pip_install_developer_constraints" var which is used
to set the developer mode constraints. By default this will leave the
same behaviour but will allow additional constraints to be added, or the
developermode constraints file to be overriden altogether.
Change-Id: I9b639cf11f0197c996f9d87210142e898ad46191