openstack/openstack-ansible-os_nova - openstack-ansible-os_nova - OpenDev: Free Software Needs Free Tools

For purpose of reducing deployed config to destination, we remove
scheduler-related sections for non-scheduler hosts.
Change-Id: I1c6dbc6570d14dc6165155c9d3dc3125a391d1b1

Allocation ratios as well as resource reservation should be defined
per compute. Compute does report it's resources to placement
and registers itself based on this data. Defining parameters also for
scheduler can be confusing and misleading of how these params work.
Same goes for used compute driver and some other compute-related
options which are historically added and managed by the role.
Change-Id: Iae5f5d3cf5853e3866d37e108ca4ea752858fbe4

Libvirt configuration should not be needed outside of the compute hosts,
which shall reduce amount of parameters in nova.conf for
scheduler/api.
Change-Id: Ic74feafa0a9fa26ea8453cacf99cf6a53decf877

Currently there is no way to avoid auto-discovery of mdev devices.
The only way to avoid them propagating to nova.conf is through
the config override.
Change-Id: Ie1c40a427599e610278262cfdb55fdcf017d4ede

The tags framework has been discontinued for a long time.
https://governance.openstack.org/tc/reference/tags/
https://governance.openstack.org/tc/resolutions/20211224-tags-framework-removal.html
Change-Id: Iff34b4422de9d8a8983ddede15d90e65598219eb

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/942775
Needed-By: https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/942783
Change-Id: I833fb0018184a3ae24c4fea23c661b038cdc3f81

The `difference()` filter inputs a list, and takes another list as
parameter, computes a set difference between the two, and returns
the resulting (unordered) list.
This is documented here:
https://docs.ansible.com/ansible/latest/collections/ansible/builtin/difference_filter.html
This filter was changed in:
7d3d4572ed
The behaviour changed in ansible-core between 2.15 and 2.16:
```
 ################################################################
 ### Testing ansible-core==2.16
 ################################################################
 PLAY [Test ansible difference filter] ******************************************
 TASK [debug] *******************************************************************
 ok: [localhost] => {
 "msg": "diff with a string: ['one', 'two', 'six'] | difference('two') => ['one', 'six', 'two']"
 }
 TASK [debug] *******************************************************************
 ok: [localhost] => {
 "msg": "diff with a list: ['one', 'two', 'six'] | difference(['two']) => ['one', 'six']"
 }
 PLAY RECAP *********************************************************************
 localhost : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
 ################################################################
 ### Testing ansible-core==2.15
 ################################################################
 PLAY [Test ansible difference filter] ******************************************
 TASK [debug] *******************************************************************
 ok: [localhost] => {
 "msg": "diff with a string: ['one', 'two', 'six'] | difference('two') => ['one', 'six']"
 }
 TASK [debug] *******************************************************************
 ok: [localhost] => {
 "msg": "diff with a list: ['one', 'two', 'six'] | difference(['two']) => ['one', 'six']"
 }
 PLAY RECAP *********************************************************************
 localhost : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
```
The above was generated by using: https://github.com/vincent-legoll/test_ansible_diff
Closes-Bug: #2096936
Change-Id: I7a57c829803fc5baa8b1d3a1805c102f04b8ab2c
Signed-off-by: Vincent Legoll <vincent.legoll@iphc.cnrs.fr>

Since ansible-core 2.10 it is recommended to use modules via FQCN
In order to align with recommendation, we perform migration
by applying suggestions made by `ansible-lint --fix=fqcn`
Change-Id: I335f0f1bcdb5e5564ce3f82f44eec7d8c6ab4e0e

In order to reduce divergance with ansible-lint rules, we apply
auto-fixing of violations.
In current patch we replace all kind of truthy variables with
`true` or `false` values to align with recommendations along with
alignment of used quotes.
Change-Id: Ie1737a7f88d783e39492c704bb6805c89a199553

Support is removed in oslo.messaging so we remove support in
openstack-ansible roles.
Change-Id: I13f77bb8b63b3cc3d198dcbf918a6708f7d9d80e

This change matches an earlier modification to os_neutron
Currently we symlink /etc/<service> to empty directory at pre-stage,
and filling it with config only during post_install. This means,
that policies and rootwrap filters are not working properly until
playbook execution finish. Additionally, we replace sudoers file
with new path in it, which makes current operations impossible for
the service, since rootwrap can not gain sudo privileges.
With this change we move symlinking and rootwrap steps to handlers,
which means that we will do replace configs while service is stopped.
During post_install we place all of the configs inside the venv,
which is versioned at the moment.
This way we minimise downtime of the service while performing upgrades
Closes-Bug: #2056180
Change-Id: I9c8212408c21e09895ee5805011aecb40b689a13

In case compute nodes using non-standard SSH port or some other
hacky connection between each other, deployers might need to
supply extra configuration inside it.
community.general.ssh_config module was not used, as it requires extra
`paramiko` module to be installed on each destination host.
Change-Id: Ic79aa391e729adf61f5653dd3cf72fee1708e2f5

With ansible-core 2.16 a breaking changes landed [1] to some filters
making their result returned in arbitrary order. With that, we were
relying on them to always return exactly same ordered lists.
With that we need to ensure that we still have determenistic behaviour
where this is important.
[1] https://github.com/ansible/ansible/issues/82554
Change-Id: If26ec122b8defaa1dc1a44f8d6cb2510982cfdf7

The qemu-efi package does not exist on Ubuntu Noble, so instead
install the specific package for the host architecture.
Change-Id: Id91cafc9c2f234bd5f18017a99f757f2bd751b35

The default value for heartbeat_in_pthread has been reverted in
oslo.messaging to False [1] and backported back to Yoga.
At the moment this setting brings intermittent issues during live
migrations of instances and some other operations. So makes sense
to align it with default value.
[1] https://review.opendev.org/c/openstack/oslo.messaging/+/852251
Change-Id: I5601726095ff19620de2d87220efad191cf7cb6d

According to the documentation, it is expected to have a multiline data
inside vendor_data.json [1]
[1] https://cloudinit.readthedocs.io/en/latest/reference/datasources/openstack.html#vendor-data
Depends-On: https://review.opendev.org/c/openstack/ansible-config_template/+/924217
Closes-Bug: #2073171
Change-Id: Ifc1239e4ef768e94c44d8d07df7a0b93c73638f9

With update of ansible version having variables in conditions is not
allowed anymore, which results in error like:
`Conditional is marked as unsafe, and cannot be evaluated`
Change-Id: I6e8e0ee1ffc2c154bac0f64f2e797281d7ba966f

Due to the shortcoming of QManager implementation [1], in case of uWSGI
usage on metal hosts, the flow ends up with having the same
hostname/processname set, making services to fight over same file
under SHM.
In order to avoid this, we prepend the hostname with a service_name.
We can not change processname instead, since it will lead to the fight
between different processes of the same service.
[1] https://bugs.launchpad.net/oslo.messaging/+bug/2065922
Change-Id: Ie8c68cad4a89e5fcc43dad53d895d093cb3fe671

<service>-config tags are quite broad and have a long execution
time. Where you only need to modify a service's '.conf' file and
similar it is useful to have a quicker method to do so.
Change-Id: Idf0a0a7033d8f6c4d6efebff456ea3f19ea81185

During last release cycle oslo.messaging has landed [1] series of extremely
useful changes that are designed to implement modern messaging
techniques for rabbitmq quorum queues.
Since these changes are breaking and require queues being re-created,
it makes total sense to align these with migration to quorum queues by default.
Change-Id: Ia5069c9976d07ee3949e637d8eb76a06b380cdec

Update the zed release notes configuration to build from
unmaintained/zed.
Change-Id: Ic2423331f637f6054cc9c138aa6ca48ab3c08d61

In order to be able to globally enable notification reporting for all services,
without an need to have ceilometer deployed or bunch of overrides for each
service, we add `oslomsg_notify_enabled` variable that aims to control
behaviour of enabled notifications.
Presence of ceilometer is still respected by default and being referenced.
Potential usecase are various billing panels that do rely on notifications
but do not require presence of Ceilometer.
Change-Id: Ib5d4f174be922f9b6f5ece35128a604fddb58e59

In order to allow definition of policies per service, we need to add variables
so service roles, that will be passed to openstack.osa.mq_setup.
Currently this can be handled by leveraging group_vars and overriding `oslomsg_rpc_policies` as a whole, but it's not obvious and
can be non-trivial for some groups which are co-locating multiple services
or in case of metal deployments.
Change-Id: I6a4989df2cd53cc50faae120e96aa4480268f42d

This patch proposes to move condition on when to install certificates from
the role include statement to a combined "view" for API and Consoles.
While adding computes to the same logic might be beneficial for CI and
AIO metal deployments, it potentially might have a negative effect for
real deployments, as it will create bunch of Skipped tasks for computes
so we leave them separated.
With that API and Console are usually placed on same hosts, so it makes
sense to distribute certs towards them once but keeping possibility of
different hosts in mind.
Change-Id: I8e28a79a6e3a5be1fe54004ea1d2c3a3ccdc20bc

Add variable nova_cell_force_update to enable deployers to ensure that
role execution will also update cell mappings whenever that is needed.
For instance, it could be password rotation or intention to update MySQL
address.
Change-Id: I5b99d58a5c4d27a363306361544c5d80759483fd

Due to clash in resulting certificate names they were re-genearated each
playbook run.
In order to sort that we need to rename certificate names. As `nova_backend_ssl`
was implemented latest and not that widely adopted, we change name
for it.
This will cause all backend certificates for API to be re-generated.
Change-Id: I4bca3bb2733fe25dad71345f84d9030c535c901b

Once we've enabled TLS requirement in [1] jobs started failing on cell0
mapping as it was actually different and not connecting to MariaDB through
TLS when it was assumed it is.
[1] https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/911009
Change-Id: I96fa921cfdb849f59b5abd8452061d4c5bd04a76

When the nova_device_spec variable is provided as either a string or a
mapping, ensure that it's templated as a JSON string.
Also handle either strings or mappings within nova_device_spec if it's
provided as a list.
Closes-Bug: 2057961
Change-Id: I7041a19547af580408ff704578cb8f12d37da1ae

in cases when non-standard path to nova instances is configured with nova_system_home_folder variable there may be problems with instances spawning due to libvirt virt-aa-helper missing permission in apparmor profile, this commit resolves this
Change-Id: I3d37eb5a9635044570690370dfcbc060ff4d9e49

Instead of evaluating same condition of my_ip in multiple places across
the role this patch suggests doing this once in vars and using the
resulting variable afterwards.
This not only reduce amount of evaluations made throughout the role runtime,
but also solves possible corner cases where some syntax may go off.
Closes-Bug: #2052884
Change-Id: I454b53713ecacf844ac14f77b6d1e1adc1322c0e

In case when ceph is not being used as backend for nova, qemu.conf
file is not distributed, thus some settings, like nova_qemu_vnc_tls do
not have any effect
Closes-Bug: #2003749
Change-Id: I4bc68567cda57d73d030d9a5017cc411f7ee7732

It appears there was a change to remove the list option when
moving from pci_passthrough_whitelist. Instead device_spec
can be specified multiple times in the file.
This patch aims to resolve this whilst maintaining backwards
compatibility.
Change-Id: I12b38e45d7b41fbf4786d3320e511eb9127fe216

In usecases where only cinder is using ceph we currently do not
execute ceph_client role, which makes nodes failing to spawn instances
from RBD volumes.
Sample usecase where Glance might be using Swift and it might be desired to use
local storage for Nova ephemeral drives, but cinder spawning volumes
on Ceph
Currently this can be workarounded with setting `nova_rbd_inuse: True` but
at the same time `nova_libvirt_images_rbd_pool: ''`, though this is
counter-intuitive and this patch aims to improve this.
Change-Id: I412d1e9ccb51f0cd33a98333bfa1a01510867fbe

As of today we do not have any means of Blazar integration with Nova,
while we do provide roles for Blazar installation for a while now. This
patch aims to bring in more native integration and remove necessity
of overrides for such deployment.
Related-Bug: #2048048
Co-Authored-By: Alexey Rusetsky <fenuks@fenuks.ru>
Change-Id: Ica50a5504de1b1604f72123751cbb3f45c85ab46

This is a follow-up change to [1]. Depending on operating system and
environment configuration, default libvirt network may not exist.
Right now, `Check for libvirt default network` task throws an error in
this case causing nova playbook to fail.
This change fixes that by instructing ansible to not throw an error
if `virsh net-list` fails with "Network not found: no network with
matching name" because it is acceptable to not have this network.
[1] https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/899768
Change-Id: If692bc94f421bc84ad9e6d43f548b68196a9e751

Currently, autostart for libvirt default network is disabled only when
this network is active during nova playbook execution.
It's an incorrect behavior because in some cases this network may not be
active from the beginning.
Autostart should be always disabled to ensure that this network will not
be unexpectedly marked as active in the future(during package upgrade,
host reboot etc.).
Closes-Bug: #2042369
Change-Id: I697234bda1601b534ce1b6ab186fa98f83179ee8

Flag --until-complete is not valid for the nova-manage db purge command,
it is working only for archive_deleted_rows [1]. Suposedly it was a
copy/paste mistake to keep the flag in place.
[1] https://docs.openstack.org/nova/latest/cli/nova-manage.html#db-archive-deleted-rows
Change-Id: I7be8c41bd52b955d83c4452e67ef323abe00969e

Nova defaults to using public endpoint for Barbican API which would
require internet access from the compute node so change this to
use the internal API endpoint.
Change-Id: Iaa14a9bf80d2e02197e74d67e812afc518fe1b65

For quite some time, we relate usage of --by-service flag for
nova-manage cell_v2 discover_hosts command to the used nova_virt_type.
However, we run db_post_setup tasks only once and delegating to the
conductor host. With latest changes to the logic, when this task in
included from the playbook level it makes even less sense, since
definition of nova_virt_type for conductor is weird and wrong.
Instead, we attempt to detect if ironic is in use by checking hostvars
of all compute nodes for that. It will include host_vars, group_vars,
all sort of extra variables, etc.
Thus, ironic hosts should be better discovered now with nova-manage
command.
Related-Bug: #2034583
Change-Id: I3deea859a4017ff96919290ba50cb375c0f960ea

We have migrated to usage of ssh_keypairs role a while ago and we
can remove old migration clean-up task.
Change-Id: Ie3cbeb4bd41d3137f2332f28dbc72c8028fb5b3a