Remove the puppetry for managing nameservers as we now use ansible
configured name servers without puppet.
We will need to follow this up with deletion of the existing
ns*.openstack.org and adns1.openstack.org servers.
Change-Id: Id7ec8fa58c9e37ce94ec71e4562607914e5c3ea4
The k8s-on-openstack code wants to use a keypair for getting ssh access
set up for nodes it creates. Add a keypair everywhere that has root's
public key in it so that we can run k8s-on-openstack.
Change-Id: I62d9b6e03a0a433446f022b954283ace9755d9d7
The owner address for the starlingx-discuss list on
lists.starlingx.io has started receiving large volumes of
unsolicited messages unrelated to its intended purpose. As there's
no easy way to discern them from legitimate messages, we'll do the
same as we've done for other owner addresses and reject them with a
brief error explaining the situation.
Change-Id: I95a910c2e6206098ca268a0e10e86b66455ad1bd
This was likely missed in bootstrapping. Temporarily allow all
authoritative slaves (opendev as well as openstack) to perform zone
transfers over 53/tcp on either silent master nameserver.
Change-Id: I68455a1d4fa5042da14b3c2e0747af00effad0da
An upcoming change will remove review.openstack.org and
puppetmaster.openstack.org from our hostgroups, since these servers
have been deleted from the provider already. We were explicitly
testing the hostgroup membership for the former, so replace that
with a couple of new ones which should provide more stable coverage
going forward.
Change-Id: Ida28b65e9f1dc01f233cc9bff4ce32aef70e347a
The arm64 nodes install special kernels so we have a dedicated
base-server task list for them. To reduce duplication we were then
include_tasks: Debian.yaml but this seems to result in the ansible play
crashing there and continuing with the next play in the playbook as if
there were no failure/error.
This is concerning but to deal with this in the present lets copy pasta
the debian bits so things hopefully work again then go from there.
Logs of this occurring:
2018-12-14 20:54:28,515 p=11685 u=root | TASK [base-server : Install HWE kernel for arm64] ******************************
2018-12-14 20:54:28,515 p=11685 u=root | Friday 14 December 2018 20:54:28 +0000 (0:00:14.672) 0:08:06.479 *******
2018-12-14 20:54:32,564 p=11685 u=root | ok: [mirror01.london.linaro-london.openstack.org]
2018-12-14 20:54:32,747 p=11685 u=root | ok: [nb03.openstack.org]
2018-12-14 20:54:32,843 p=11685 u=root | ok: [mirror01.nrt1.arm64ci.openstack.org]
2018-12-14 20:54:33,727 p=11685 u=root | ok: [mirror01.cn1.linaro.openstack.org]
2018-12-14 20:54:33,777 p=11685 u=root | TASK [base-server : Include generic Debian tasks] ******************************
2018-12-14 20:54:33,778 p=11685 u=root | Friday 14 December 2018 20:54:33 +0000 (0:00:05.262) 0:08:11.741 *******
2018-12-14 20:54:34,023 p=11685 u=root | PLAY [Base: configure OpenStackSDK on bridge] **********************************
2018-12-14 20:54:34,052 p=11685 u=root | TASK [include_role : configure-openstacksdk] ***********************************
Change-Id: I20dbd5b4c768c967c82f786a7cb1d5261bf5b494
This is a role for installing docker on our control-plane servers.
It is based on install-docker from zuul-jobs.
Basic testinfra tests are added; because docker fiddles the iptables
rules in magic ways, the firewall testing is moved out of the base
tests and modified to partially match our base firewall configuration.
Change-Id: Ia4de5032789ff0f2b07d4f93c0c52cf94aa9c25c
This collects syslogs from nodes running in our ansible gate tests.
The node's logs are grouped under a "hosts" directory (the bridge.o.o
logs are moved there for consistentcy too).
Change-Id: I3869946888f09e189c61be4afb280673aa3a3f2e
Docker wants to set FORWARD DROP but our existing rules set FORWARD
ACCEPT. To avoid these two services fighting over each other and to
simplify testing lets default to FORWARD DROP too.
None of our servers should act as routers currently. If we resurrect
infracloud or if we deploy k8s this may change but today this should be
fine and be a safer ruleset.
Change-Id: I5f19233129cf54eb70beb335c7b6224f0836096c
Set up the initial boilerplate to enable addition of new
project-neutral Mailman mailing lists on lists.opendev.org.
Change-Id: I8cad4149bdd7b51d10f43b928cdb9362d4bde835
We believe the relative_priority change has altered our workload
such that we have smaller jobs starting more frequently. Since
job starts are limited by the executors, we have developed a backlog
and need another executor to relieve the pressure.
Change-Id: I98052e0135c7ee615f1f187b9d0a250cdd1ff178
We have an arm specific task here to install the HWE kernel. We use
first found to select these tasks which means the default Debian package
setup (unattended upgrades and cleanup) is not installed on our arm
servers.
Fix this by having the arm specific tasks include the generic Debian
tasks.
Change-Id: Ibb57e8b095a4cbd27cc14ef0c5ad45c61edc0679
We don't intend on using lxd on our servers and lxd is causing problems
for unattended upgrades. Lets just make sure these packages aren't
installed and avoid the problems entirely.
Change-Id: I9c6fcf8b0072c23ee0127245fa3bb6c3477dcaf5
This change takes the ARA report from the "inner" run of the base
playbooks on our bridge.o.o node and publishes it into the final log
output. This is then displayed by the middleware.
Create a new log hierarchy with a "bridge.o.o" to make it clear the
logs here are related to the test running on that node. Move the
ansible config under there too.
Change-Id: I74122db09f0f712836a0ee820c6fac87c3c9c734
This change enables the installation of the ARA callback plugin in
the install-ansible role. It does not take care of any web reporting
capabilities.
ARA will not be installed and set up by default.
It can be installed and configured by setting
"install_ansible_enable_ara" to "true".
Co-Authored-By: David Moreau-Simard <dmsimard@redhat.com>
Co-Authored-By: Ian Wienand <iwienand@redhat.com>
Change-Id: Iea84ec8e23ca2e3f021aafae4e89c764f2e05bd2
Rename install_openstacksdk to install_ansible_opensatcksdk to make it
clear this is part of the install-ansible role, and it's the
openstacksdk version used with ansible (might be important if we
switch to virtualenvs). This also clears up inconsistency when we add
ARA install options too.
Change-Id: Ie8cb3d5651322b3f6d2de9d6d80964b0d2822dce
This syntax doesn't work in Ansible 2.8.0. Futher, we can use
"listen" to collapse the notify to a single item (at the
expense of duplicating the when clause in the handlers).
Change-Id: I05e2d32f4e1e692ac528a7254c6e3be2858ebacf
The current-context field needs to reference a defined context. The file
otherwise defines only one "vexxhost-sjc1". Set current-context to that
context.
Change-Id: I1d8991efb5d546f007146fd2fa86ce2b2aeed286
This list's owners have asked for it to be shut down, as they will
be using an [interop-wg] tag on the new openstack-discuss ML for
future communication. Once this merges (so that Puppet won't
recreate it), the list can be removed with the `rmlist` utility
(this will still leave the archives available but will remove it
from the list index and no longer accept subscriptions/posts).
Set the old list address as an alias for the new openstack-discuss
ML so that replies to previous messages from the list will be routed
there for the foreseeable future.
Change-Id: Ib5fd5aece2465d569e0e7c180ee14ba94882f2b7
The general openstack, openstack-dev, openstack-operators and
openstack-sigs mailing lists have been deprecated since November 19
and are slated to be removed on December 3. Merging this on that
date will ensure any further replies to messages from those lists
are rerouted to the new openstack-discuss mailing list for the
foreseeable future.
The openstack-tc list is included in this batch as it has already
been closed down with a recommendation to send further such
communications to the openstack-discuss ML.
Additionally remove the Puppet mailman resource for the
openstack-sigs ML so it won't be automatically recreated after it
gets deleted (the other lists predate our use of Puppet for this
purpose).
Clean up the corresponding -owner spam rejection aliases since these
addresses will no longer be accepting E-mail anyway.
Change-Id: I9a7fae465c3f6bdcf3ebbadb8926eb4feb8fad79
This installs Ansible 2.7.3 on bridge.o.o to incorporate fixes for [1]
which is currently stopping the cloud-launcher from running.
Currently every run it hits citycloud Lon1 and tries to delete it's
router
TASK [cloud-launcher : Processing router openstackci-router1 for openstackci-citycloud Lon1] ***
Monday 12 November 2018 04:07:48 +0000 (0:00:00.430) 0:07:45.811 *******
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Error
detaching interface from router c7197a8f-096a-4488-a3ae-16fdce0ea580
... cannot be deleted, as it is required by one or more floating
IPs."}
Although it doesn't succeed, it's probably better that it isn't even
trying...
A prior version of this installed the unreleased stable branch to
bring this in, but didn't end up with enough reviews. I've left
behind how to do that as a breadcrumb should we need to do similar in
the future (we do seem to have a nack of tickling Ansible bugs :)
[1] 951572bec1
Change-Id: I8f112ba994040c52c7b3c7ee6fd6f5a69fd22919
Remove the zookeeper tcp firewall rules from the nodepool group vars
file as we have dedicated zookeeper servers now. These rules are not
helpful.
Change-Id: I08c2596b8f459fe59d45b0f01e002b9e4b4186d4
This adds connection information for an experimental kubernetes
cluster hosted in vexxhost-sjc1 to the nodepool servers.
Change-Id: Ie7aad841df1779ddba69315ddd9e0ae96a1c8c53
The OpenStack Korean mailing list's owner address have
become overrun by the same mass spam we've seen hitting our other ML
owner addresses. Add a blackhole alias for it.
Change-Id: Ia6c7e6701a69ee56076062aa85f8699121648501
The OpenStack SIGS mailing list's owner address is starting to
become overrun by the same mass spam we've seen hitting our other ML
owner addresses. Add a blackhole alias for it.
Change-Id: Iefc5b5fa600c5d1de75d3302c8ddf0e1a03301e5
