We don't want to run ansible if we don't get a complete inventory from
our clouds. The reason for this is we cannot be sure that the ordering
of git servers, gerrit, and zuul or our serialized updates of afs
servers will work correctly if we have an incomplete inventory.
Instead we just want ansible to fail and try again in the future (we can
then debug why our clouds are not working).
From the ansible docs for any_unparsed_is_failed:
If 'true', it is a fatal error when any given inventory source
cannot be successfully parsed by any available inventory plugin;
otherwise, this situation only attracts a warning.
Additionally we tell openstack inventory plugin to report failures
rather than empty inventory so that the unparsed failures happen.
Change-Id: I9025776af4316fbdd2c910566883eb3a2530852a
Some of our summaries need to display more than 20 tasks to show
complete information. Up to 50, which should be enough for anyone.
Change-Id: I3ae3bb714ea7f5fb094f85c33c19ea3c8a81f6c3
Add a logrotate role that allows basic configuration of a logrotate
configuration for a specific log-file.
Use this role in the ansible-cron and install-ansible roles to ensure
the log output they are generating is rotated.
This role is not intended to manage the logrotate package (mostly to
avoid the overhead of frequently checking package state when this is
expected to be called for multiple configuration files on a server).
We add it as a base package to our servers.
Tests are added for testinfra.
Change-Id: I90f59c3e42c1135d6be120de38e942ece608b761
According to the Ubuntu 12.04 release notes, up until Ubuntu 11.10
admin access was granted via the "admin" unix group, but was changed
to the "sudo" group to be more consistent with Debian et al.
Remove the now unnecessary group
Modify the install-ansible role to set some directory ownership to
root:root; there didn't seem to be any reason to use admin here.
This means the "users" role is no longer required in the bridge.yaml,
as it is run from the base playbook anyway.
Change-Id: I6a7fdd460fb472f0d3468eb080aebbb010931e11
These role docs aren't exactly War and Peace, but I think longer term
as we fiddle about making things generic or not and moving them
around, we'll be better off having kept ourselves to writing
*something*.
Add terse README.rst files for all existing roles, and add simple
linter check to ensure new roles get them too.
Change-Id: Ibc836310fb8a45e12c2e31f112d92509ac350413
In zuul's ansible config we add retries=3 to deal with transient issues.
Do the same thing for our production runs.
Change-Id: Ide53bae34e5e622de1fd4741706752e8728da20e
file: state=touch returns changed every time. Instead, put the log files
into a /var/log/ansible directory.
Change-Id: I086d803f0e532b9da41cb01d4e7d2ed66245dfc1
Rather than copying these out of system-config inside of
install-ansible, just point the ansible.cfg to them in the system-config
location. This way as changes come in that have group updates we don't
have to first apply them to the system.
Change-Id: I1cefd7848b7f3f1adc8fbfa080eb9831124a297b
The production directory is a relic from the puppet environment concept,
which we do not use. Remove it.
The puppet apply tests run puppet locally, where the production
environment is still needed, so don't update the paths in the
tools/prep-apply.sh.
Depends-On: https://review.openstack.org/592946
Change-Id: I82572cc616e3c994eab38b0de8c3c72cb5ec5413
We do this for zuul jobs already, so let's do it for our production
runs.
Shift the inventory cache location down a directory so that launch-node
can invalidate the inventory cache.
Change-Id: I52b1c48d091c07e4205c1a7233448925ca26d8d3
Now that we've got base server stuff rewritten in ansible, remove the
old puppet versions.
Depends-On: https://review.openstack.org/588326
Change-Id: I5c82fe6fd25b9ddaa77747db377ffa7e8bf23c7b
We want to configure firehose logically as the firehose service, but the
host that is in the group is called firehose01.openstack.org. Make a
group and put the config variables for firehose into it.
Change-Id: I17c8e8a72f41c5e2730af81f70cef81dd3ed7bca
regex_match seems to either not work or not exist or something. match,
otoh, works. Additionally, we get this:
[DEPRECATION WARNING]: Using tests as filters is deprecated. Instead
of using `result|match` use `result is match`. This feature will
be removed in version 2.9.
when using the | syntax, so obey the warning and switch to is.
Change-Id: Ie201241a11c08b9fed58c0e1790e8187ee4cf474
Bridge can run puppet on the remote hosts. Stop running on puppetmaster
so that we can run from bridge. Put it in the disabled group so that we
don't try to run puppet on it from bridge.
Change-Id: Ibcfa7e902c07c55e3a84f8232a11792c5f7d80e9
In order to get puppet out of the business of mucking with exim and
fighting ansible, finish moving the config to ansible.
This introduces a storyboard group that we can use to apply the exim
config across both servers. It also splits the base playbook so that we
can avoid running exim on the backup servers. And we set
purge_apt_sources the same as was set in puppet. We should probably
remove it though, since none of us have any clue why it's here.
Change-Id: I43ee891a9c1beead7f97808208829b01a0a7ced6
Now that we're running more than just "puppet apply", reconnecting
starts to add up. Turn on pipelining.
Change-Id: If629485a0e602f1a906fef0cabd73154243d7e3d
Instead of just having bridge be disabled, make a puppet group that it's
not a part of and switch the remote_puppet_else playbook to use that.
Change-Id: Ifb96ce483fc5675d095723bda70242a425bdc619
This is a setup for the next patch, to allow us to roll the change out.
Update the roles path to point to the system-config roles dir.
Change-Id: I6bcf36beba8e65c9dd8ddf9f4a99d0308f42c565
The list of allowed hosts is comma separated, not colon separated.
Set exclusive: yes to ensure this is the *only* authorized key.
The zuul-executor group is the group for ze hosts. It's not a second
zuul-scheduler group.
Change-Id: I214482ce8931e697ada497048fcf12fa492b98b7
There is a shared caching infrastructure in ansible now for inventory
and fact plugins. It needs to be configured so that our inventory access
isn't slow as dirt.
Unfortunately the copy of openstack.py in 2.6 is busted WRT to caching
because the internal API changed ... and we didn't have any test jobs
set up for it. This also includes a fixed copy of the plugin and
installs it into the a plugin dir.
Change-Id: Ie92e5d7eac4b7e4060a4e07cb29c5a6f2a16ae18
