openstack/openstack-ansible-os_nova - openstack-ansible-os_nova - OpenDev: Free Software Needs Free Tools

It appears that this tag stopped working recently when switching
from import to include syntax. This patch adds the necessary
'always' tag to ensure the 'nova-key' tag gets carried through.
Change-Id: Iee1dca9221b6968d11be54fc1df03b2f8a6c3f44

Use a first_found lookup instead of a with_first_found loop so that
the 'paths' parameter can be used.
This ensures that only vars from the role are included, and not vars
from a parent calling role. This can happen when a parent role has
a higher priority vars file available for inclusion than the role
it calls.
Change-Id: I046def5a5cc94f680bc0daa3a2a1734f325d8022

Ansible's combine() filter needs recursive=True parameter in order to recursively merge nested hashes.
https: //docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html#combining-hashes-dictionaries
Change-Id: I2e84c0370c04336c124e5b6549b638483f107601

This reverts commit ca352be75b.
Change-Id: I19e1cc491e2441ab8d1bd39d383dd2e09a5b7077

Further testing has revealed that cold migration still requires
SSH communication between hypervisors which requires SSH keys to
be distributed between hosts.
Change-Id: Ida18b057d68d4edf7ce6dd2a46ef990f34ad36e3

Change-Id: If4d036794cf8edb14e6b0ed491cf0de78f425b2c

Change-Id: If2279eba00d9a0da23464491167bb496901c47c0

Change-Id: I59a095d0d7d20063454fded5c8fbd2d40c633ebd

Change-Id: I63ac851ab8195a2eaaa6474d31af999f22584ca5

In order for AIO to pass against ironic role, we need to cover the case
when ironic_compute == nova_compute host. For that we use more
common condition and verifying virt_type which must be set for
Ironic.
Change-Id: I7540e4c6848bad80c368a1227b09437428fe64a2
Closes-Bug: #1952649 

- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.
Change-Id: Ibc876f2744c271e9c4ad797597c15af8d73867c1

This patch excludes ironic_compute hosts, which don't
run libvirtd, from the PKI/SSL certificate business.
Closes-Bug: #1952649
Change-Id: I57455b9f54f0a5ae0f1f8e1a424df930cd6bab48

Change-Id: I5761e63ca609a617abfafe8d870dc4dc0b9c8096

Since we still use ceph-ansible that has their own implementation of
config_template module it's worth to use mentioned module as a collection
explicitly.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819814
Change-Id: If8db876955572d0fc809414bf38370a9aac84a2e

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819300
Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/819298
Change-Id: If5622f736e17f0f187a0740d60ea435d03a131bb

Change-Id: I6fded616989ccae02d9d34efb68543336f87f848

With new Ampere GPUs you need to explicitly define explicit lists of PCI
devices which length depends on picked type as placement can't pick them
automatically due to nvidia driver brokeness.
In order to have readable representation of the variable it's worth
to make it iterable but keep a simple string for
backwards compatability.
Change-Id: I2a1e85efc8ad4f6a2596e6d53b1d793b2f934758

To secure communications from the proxy server to the compute
nodes using VeNCrypt authentication scheme.
In a previous patch a TLS server certificate was deployed to
compute nodes, this patch makes use of this same server cert for
securing VNC sessions on compute nodes. It is recommended that
this certificate be issued by a dedicated certificate authority
solely for the VNC service, as libvirt does not currently have a
mechanism to restrict what certificates can be presented by the
proxy server. This has not been implemented to reduce complexity.
In addition the noVNC proxy needs to present a client certificate
so only approved VNC proxy servers can connect to the Compute nodes.
The PKI role has been used to create a client certificate for the
nova console nodes.
Related Nova docs:
https://docs.openstack.org/nova/latest/admin/remote-console-access.html
To help with the transition from from unencrypted VNC to VeNCrypt,
initially compute nodes auth scheme allows for both encrypted and
unencrypted sessions using the variable `nova_vencrypt_auth_scheme`, this
will be removed in future releases.
Change-Id: Iafb788f80fd401c6ce6e4576bafd06c92431bd65

Instead of using SSH to live migrate VM's use TLS as this is more
secure and SSH migrations are deprecated.
https://docs.openstack.org/nova/xena/admin/secure-live-migration-with-qemu-native-tls.html
A pre-existing PKI (Public Key Infrastruture) setup is required.
TLS live migrations require that all compute hosts can communcate
with each other on port 16514 and port range 49152 to 49261.
To enable TLS live migrations, both libvirt and QEMU require server
and client certificates, the server certicicates is used to verify
servers and the client cert is used by servers to authenticate
clients. A single cert is created by the pki role, that can be
used by both libvirt and QEMU for both client and server auth.
The client, server and CA certifcates need to installed in a
number of locations on each compute host:
* For Libvirt https://libvirt.org/tlscerts.html
* For QEMU https://github.com/libvirt/libvirt/blob/master/src/qemu/qemu.conf
Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/815007
Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/815849
Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/816857
Change-Id: Iddbe8764bb6d3cd3eaee122b2d5ddc02fa3f7662

In order to reflect upstream nova variable change [1] we rename
nova_enabled_vgpu_types to nova_enabled_mdev_types.
[1] https://docs.openstack.org/nova/latest/configuration/config.html#devices.enabled_mdev_types
Change-Id: I7fcc6f6fbfd8e6e358036e72a82348b9cefe74ef

With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.
Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.
[1] 78f0cf99e5/pymysql/connections.py (L267)
Change-Id: I99509b519c91d8fefc91745bb982866fe3fbc8e7

The patch bumps min version of tox to 3.18.0 in order to
replace tox's whitelist_externals by allowlist_externals option:
https://github.com/tox-dev/tox/blob/master/docs/changelog.rst#v3180-2020年07月23日
Change-Id: I5b77381ceaa34e2069b226fc6825f78cefc57a30

Use the version pinned in repo_packages/nova_consoles.yml in
openstack-ansible to install the SPICE HTML5 client. Without this change
the version pin in openstack-ansible has no effect and the role always
installs master.
This is the same change as already done for the noVNC console in commit
1de7b24e70.
Change-Id: Ie004f845138a23095f6e02138401511054975a01

CentOS 7 support has been removed for a while and no reason to carry
task that is specific to this version.
Change-Id: I6735188f5fc75b44f587e6a810c8e8aad73df684

This always existed as a default value but was only used for service
setup, never in the runtime db connection url. Update the URL and
database connection template to include the port.
Change-Id: Ie404c117146c6bbd7eea79300f7c85515fa4e27d

There might be scenarios when compute_hosts group is not present, but
we still need to deploy nova scheduler.
So we have to set default for groups['compute_hosts'].
Change-Id: I18d42e902b0b3eb5494bcffb424731dfe85c74f9

Having this variable set to 10 might be a very bad option for small environments. From the other side, switching back to nova default value(1) also has another disadvantages. I think the best option is to add some logic here and compute a proper value based on number of compute nodes
Change-Id: I073875d380b14771cff434620553eada5068a430

We've created integrated linters check job a while back and it's successfully
working for several releases. At the moment we experience difficulties
with future maintenance of the linters check from the openstack-ansible-tests
repo. So instead of fixing current one, we replace it with modern version of
the test.
Change-Id: Ia1e4677d7e09bd74d57e9b48f606ddc1febf135a

After qemu has been updated in osbpo repo, extra requirement has
appeared, that is available only from backports repo.So we add it
to nova_backports_packages and limit apt_package_pinning
only to Debian Buster.
Change-Id: I284fbd7f8587886502ecc54adfe7314fb80967fd

Change-Id: Ibe24bf754bd56d6e518b93f05f47d163454e169d

Change-Id: I544bc806b60d3190dfb42aa427c93673ceb34ed4

Setuptools v54.1.0 introduces a warning that the use of dash-separated
options in 'setup.cfg' will not be supported in a future version [1].
Get ahead of the issue by replacing the dashes with underscores. Without
this, we see 'UserWarning' messages like the following on new enough
versions of setuptools:
 UserWarning: Usage of dash-separated 'description-file' will not be
 supported in future versions. Please use the underscore name
 'description_file' instead
[1] https://github.com/pypa/setuptools/commit/a2e9ae4cb
Change-Id: Idab6e815af523b3d0f424b278f94ab5e3d55d12e

This module collects a very large number of facts, 5x more than
data the 'minimum' set collected by the setup module.
To increase performance by minimising the facts per host, we
can avoid using the service_facts module and use systemd to
return the service status.
Change-Id: Ieb7e1081cf307720bb9d78002ca10a8deaadffb5