openstack/openstack-ansible-os_nova - openstack-ansible-os_nova - OpenDev: Free Software Needs Free Tools

Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_mount/+/951891
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/951947
Change-Id: I85f622312612723a6960ba0e77520b4b8fa1be1a
Signed-off-by: Dmitriy Rabotyagov <noonedeadpunk@gmail.com>

Change-Id: Ie30910f99962a26ec066c79aaf01c37d45e0a52c
Signed-off-by: Ivan Anfimov <lazekteam@gmail.com>

This removes tox evs which are dependent on a tests repo framework,
which was deprecated.
Change-Id: I57d54c60fad3b37b330196bf3cfd8767c42fcbdc
Co-authored-by: Dmitriy Rabotyagov <dmitriy.rabotyagov@cleura.com>
Signed-off-by: Ivan Anfimov <lazekteam@gmail.com>

run_tests.sh was part of functional testing framwork which was
deprecated.
Vagrantfile while running integrated tests, does not contain
any supported distro
and effectively unmaintained.
Change-Id: I8ff83305f432110708bc63f67bd69afcc74a1c10
Co-authored-by: Dmitriy Rabotyagov <dmitriy.rabotyagov@cleura.com>
Signed-off-by: Ivan Anfimov <lazekteam@gmail.com>

Change-Id: I6f1681b3329f4089671a0aed7b89558bd2159455
Signed-off-by: Ivan Anfimov <lazekteam@gmail.com>

xorriso in EL10 no longer contains genisoimage to prepare config_drive
image. mkisofs is already used by devstack on Fedora [1] and
reported to work on SUSE 15 as well
[1] https://opendev.org/openstack/devstack/src/branch/master/lib/nova#L535-L537
Change-Id: Ia36a5225aae501e7ffe556e54b459fe7f8fa97bd
Signed-off-by: Dmitriy Rabotyagov <dmitriy.rabotyagov@cleura.com>

As rootwrap.d is now shipped by nova, we don't need to ensure that
directory exists explicitly.
Related-Bug: #2115295
Change-Id: If4aa8b289dc5664d36fd67991d481f49670a13f9
Signed-off-by: Dmitriy Rabotyagov <dmitriy.rabotyagov@cleura.com>

Drop the os_nova task "Copy nova rootwrap filter config", as it is a leftover from an earlier cleanup where rootwrap.d files were removed from the codebase.
Change-Id: Ia5620952fb50c6cc6a3e47f18f67a1b1cd77992f
Closes-Bug: #2115295 

Libvirt configuration should not be needed outside of the compute hosts,
which shall reduce amount of parameters in nova.conf for
scheduler/api.
Change-Id: Ic74feafa0a9fa26ea8453cacf99cf6a53decf877

nova already removed support for UML (User Mode Linux) and Xen.
Change-Id: I8e9d6f2f0045b5b2a55aaba937f1bde22951b1e0

Currently there is no way to avoid auto-discovery of mdev devices.
The only way to avoid them propagating to nova.conf is through
the config override.
Change-Id: Ie1c40a427599e610278262cfdb55fdcf017d4ede

Change-Id: I75bdecd4a2452b56b19561432e0b77791f111c95

The tags framework has been discontinued for a long time.
https://governance.openstack.org/tc/reference/tags/
https://governance.openstack.org/tc/resolutions/20211224-tags-framework-removal.html
Change-Id: Iff34b4422de9d8a8983ddede15d90e65598219eb

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/942775
Needed-By: https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/942783
Change-Id: I833fb0018184a3ae24c4fea23c661b038cdc3f81

The `difference()` filter inputs a list, and takes another list as
parameter, computes a set difference between the two, and returns
the resulting (unordered) list.
This is documented here:
https://docs.ansible.com/ansible/latest/collections/ansible/builtin/difference_filter.html
This filter was changed in:
7d3d4572ed
The behaviour changed in ansible-core between 2.15 and 2.16:
```
 ################################################################
 ### Testing ansible-core==2.16
 ################################################################
 PLAY [Test ansible difference filter] ******************************************
 TASK [debug] *******************************************************************
 ok: [localhost] => {
 "msg": "diff with a string: ['one', 'two', 'six'] | difference('two') => ['one', 'six', 'two']"
 }
 TASK [debug] *******************************************************************
 ok: [localhost] => {
 "msg": "diff with a list: ['one', 'two', 'six'] | difference(['two']) => ['one', 'six']"
 }
 PLAY RECAP *********************************************************************
 localhost : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
 ################################################################
 ### Testing ansible-core==2.15
 ################################################################
 PLAY [Test ansible difference filter] ******************************************
 TASK [debug] *******************************************************************
 ok: [localhost] => {
 "msg": "diff with a string: ['one', 'two', 'six'] | difference('two') => ['one', 'six']"
 }
 TASK [debug] *******************************************************************
 ok: [localhost] => {
 "msg": "diff with a list: ['one', 'two', 'six'] | difference(['two']) => ['one', 'six']"
 }
 PLAY RECAP *********************************************************************
 localhost : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
```
The above was generated by using: https://github.com/vincent-legoll/test_ansible_diff
Closes-Bug: #2096936
Change-Id: I7a57c829803fc5baa8b1d3a1805c102f04b8ab2c
Signed-off-by: Vincent Legoll <vincent.legoll@iphc.cnrs.fr>

Since ansible-core 2.10 it is recommended to use modules via FQCN
In order to align with recommendation, we perform migration
by applying suggestions made by `ansible-lint --fix=fqcn`
Change-Id: I335f0f1bcdb5e5564ce3f82f44eec7d8c6ab4e0e

In order to reduce divergance with ansible-lint rules, we apply
auto-fixing of violations.
In current patch we replace all kind of truthy variables with
`true` or `false` values to align with recommendations along with
alignment of used quotes.
Change-Id: Ie1737a7f88d783e39492c704bb6805c89a199553

Support is removed in oslo.messaging so we remove support in
openstack-ansible roles.
Change-Id: I13f77bb8b63b3cc3d198dcbf918a6708f7d9d80e

This change matches an earlier modification to os_neutron
Currently we symlink /etc/<service> to empty directory at pre-stage,
and filling it with config only during post_install. This means,
that policies and rootwrap filters are not working properly until
playbook execution finish. Additionally, we replace sudoers file
with new path in it, which makes current operations impossible for
the service, since rootwrap can not gain sudo privileges.
With this change we move symlinking and rootwrap steps to handlers,
which means that we will do replace configs while service is stopped.
During post_install we place all of the configs inside the venv,
which is versioned at the moment.
This way we minimise downtime of the service while performing upgrades
Closes-Bug: #2056180
Change-Id: I9c8212408c21e09895ee5805011aecb40b689a13

In case compute nodes using non-standard SSH port or some other
hacky connection between each other, deployers might need to
supply extra configuration inside it.
community.general.ssh_config module was not used, as it requires extra
`paramiko` module to be installed on each destination host.
Change-Id: Ic79aa391e729adf61f5653dd3cf72fee1708e2f5

With ansible-core 2.16 a breaking changes landed [1] to some filters
making their result returned in arbitrary order. With that, we were
relying on them to always return exactly same ordered lists.
With that we need to ensure that we still have determenistic behaviour
where this is important.
[1] https://github.com/ansible/ansible/issues/82554
Change-Id: If26ec122b8defaa1dc1a44f8d6cb2510982cfdf7

The qemu-efi package does not exist on Ubuntu Noble, so instead
install the specific package for the host architecture.
Change-Id: Id91cafc9c2f234bd5f18017a99f757f2bd751b35

The default value for heartbeat_in_pthread has been reverted in
oslo.messaging to False [1] and backported back to Yoga.
At the moment this setting brings intermittent issues during live
migrations of instances and some other operations. So makes sense
to align it with default value.
[1] https://review.opendev.org/c/openstack/oslo.messaging/+/852251
Change-Id: I5601726095ff19620de2d87220efad191cf7cb6d

According to the documentation, it is expected to have a multiline data
inside vendor_data.json [1]
[1] https://cloudinit.readthedocs.io/en/latest/reference/datasources/openstack.html#vendor-data
Depends-On: https://review.opendev.org/c/openstack/ansible-config_template/+/924217
Closes-Bug: #2073171
Change-Id: Ifc1239e4ef768e94c44d8d07df7a0b93c73638f9

With update of ansible version having variables in conditions is not
allowed anymore, which results in error like:
`Conditional is marked as unsafe, and cannot be evaluated`
Change-Id: I6e8e0ee1ffc2c154bac0f64f2e797281d7ba966f

Due to the shortcoming of QManager implementation [1], in case of uWSGI
usage on metal hosts, the flow ends up with having the same
hostname/processname set, making services to fight over same file
under SHM.
In order to avoid this, we prepend the hostname with a service_name.
We can not change processname instead, since it will lead to the fight
between different processes of the same service.
[1] https://bugs.launchpad.net/oslo.messaging/+bug/2065922
Change-Id: Ie8c68cad4a89e5fcc43dad53d895d093cb3fe671

<service>-config tags are quite broad and have a long execution
time. Where you only need to modify a service's '.conf' file and
similar it is useful to have a quicker method to do so.
Change-Id: Idf0a0a7033d8f6c4d6efebff456ea3f19ea81185

During last release cycle oslo.messaging has landed [1] series of extremely
useful changes that are designed to implement modern messaging
techniques for rabbitmq quorum queues.
Since these changes are breaking and require queues being re-created,
it makes total sense to align these with migration to quorum queues by default.
Change-Id: Ia5069c9976d07ee3949e637d8eb76a06b380cdec

Update the zed release notes configuration to build from
unmaintained/zed.
Change-Id: Ic2423331f637f6054cc9c138aa6ca48ab3c08d61

In order to be able to globally enable notification reporting for all services,
without an need to have ceilometer deployed or bunch of overrides for each
service, we add `oslomsg_notify_enabled` variable that aims to control
behaviour of enabled notifications.
Presence of ceilometer is still respected by default and being referenced.
Potential usecase are various billing panels that do rely on notifications
but do not require presence of Ceilometer.
Change-Id: Ib5d4f174be922f9b6f5ece35128a604fddb58e59

In order to allow definition of policies per service, we need to add variables
so service roles, that will be passed to openstack.osa.mq_setup.
Currently this can be handled by leveraging group_vars and overriding `oslomsg_rpc_policies` as a whole, but it's not obvious and
can be non-trivial for some groups which are co-locating multiple services
or in case of metal deployments.
Change-Id: I6a4989df2cd53cc50faae120e96aa4480268f42d

This patch proposes to move condition on when to install certificates from
the role include statement to a combined "view" for API and Consoles.
While adding computes to the same logic might be beneficial for CI and
AIO metal deployments, it potentially might have a negative effect for
real deployments, as it will create bunch of Skipped tasks for computes
so we leave them separated.
With that API and Console are usually placed on same hosts, so it makes
sense to distribute certs towards them once but keeping possibility of
different hosts in mind.
Change-Id: I8e28a79a6e3a5be1fe54004ea1d2c3a3ccdc20bc

Add variable nova_cell_force_update to enable deployers to ensure that
role execution will also update cell mappings whenever that is needed.
For instance, it could be password rotation or intention to update MySQL
address.
Change-Id: I5b99d58a5c4d27a363306361544c5d80759483fd

Due to clash in resulting certificate names they were re-genearated each
playbook run.
In order to sort that we need to rename certificate names. As `nova_backend_ssl`
was implemented latest and not that widely adopted, we change name
for it.
This will cause all backend certificates for API to be re-generated.
Change-Id: I4bca3bb2733fe25dad71345f84d9030c535c901b

Once we've enabled TLS requirement in [1] jobs started failing on cell0
mapping as it was actually different and not connecting to MariaDB through
TLS when it was assumed it is.
[1] https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/911009
Change-Id: I96fa921cfdb849f59b5abd8452061d4c5bd04a76

When the nova_device_spec variable is provided as either a string or a
mapping, ensure that it's templated as a JSON string.
Also handle either strings or mappings within nova_device_spec if it's
provided as a list.
Closes-Bug: 2057961
Change-Id: I7041a19547af580408ff704578cb8f12d37da1ae

in cases when non-standard path to nova instances is configured with nova_system_home_folder variable there may be problems with instances spawning due to libvirt virt-aa-helper missing permission in apparmor profile, this commit resolves this
Change-Id: I3d37eb5a9635044570690370dfcbc060ff4d9e49