The 'Create authorized keys file from host vars' task assumes that every
host within the nova_compute group is available. If any host within that
group is offline, excluded through a limit, or has otherwise failed an
earlier task, it will lead to this task failing for every host.
Add a when clause checking for the existence of the nova_pubkey hostvar
so that the task and remainder of the role can continue when a
nova_compute host is unavailable.
Related-Bug: 1531783
Change-Id: Idec01d13c35632204a2ae0f0a848a0ccc5b34d73
The db create tasks have been removed from the role and have been
relocated into the playbooks.
Change-Id: I8b9761689f3c6c51a3a7b50e71c8acf040a6c32f
Depends-On: If58e482034a65c0e50241448dbe298a73c1ae71b
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
Currently all pip install tasks only require the package to be
present. This means that when an environment undergoes a minor
upgrade the package is not upgraded to the same version that
was tested with. This ultimately results in a deployed
environment that does not match the tested environment.
While for the services installed into venvs this is not an
issue, it does affect those which do not use venvs and any
packages which are installed outside of a venv or on top
of a venv.
This patch changes the behaviour to ensure that the install
task will always use the latest available package. In
developer_mode this will mean using the version specified
in upper-constraints, and in an integrated build this will
mean the version which is available in the wheel repo's
folder for the tag.
Change-Id: I1d6f0123b81a0cfc20a6d30c1a87d1f861a473a7
This patch configures Nova for use with Ironic, noting that
without moving to cells, an openstack-ansible install can support
only one type of hypervisor at a time (i.e. kvm or ironic etc).
Setting the nova_virt_type determines whether Nova is configured
for Ironic. If it is left unset, the default kvm hypervisor
is used.
The nova virtualization types have all been moved into a single
nova_virt_types data structure which is used to define facts
for a specific supported virtualization type. This change is
compatible with older versions of overrides as the virt type
values are used to set host facts which could also be set
using user variables or any other means to predefine a default
value.
Change-Id: Ic8160fa00457d68ee223452f4dae6d38bffcdca0
Signed-off-by: Michael Davies <michael@the-davies.net>
Partially-implements: blueprint role-ironic
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
Flavors are being moved to the API database for CellsV2. Add a task to
perform online data migrations as required for both the initial
migration of flavors to the Nova API database in a new Newton deployment
and for all required migrations when upgrading from Mitaka.
Also include the creation and use of a new flavor in this role's
functional testing.
Change-Id: I6b562476a6db8fdbaba81f5872734e5efdb522e1
This commit breaks out the tests/test.yml file into sub task files and
deploys all the necessary components (keystone, glance, neutron) to
boot nova instances. The functional test validates a few nova ports
and then proceeds to creating to a glance image and neutron network
bits before spinning up an instance.
Additionally, this change does the following:
- fully defines the inventory rather than having test-prepare-host.yml
add containers to it
- removes installation of lxc_python2 library, since this is no longer
necessary
- updates test-prepare-keys.yml to use localhost instead of 127.0.0.1,
uses become_user=jenkins instead of become=false, and removes
redundant connection
- updates test-prepare-host.yml by removing redundant become and
connection options, changes 127.0.0.1 to localhost, and removes
mocking ansible_env
- groups vars in defined in each individual file into a single
test-vars.yml file
Change-Id: I80b1923cbf5c4375d2fb71bc71c326d43f1443b4
Now that auth token usage is deprecated, prefer the admin
user and password for all nova setup tasks run against
keystone.
Change-Id: I0796c3eb16deeda9021ba39b02840499fca3fa1c
This commit changes the pip_install_options fact name in
nova_install.yml to pip_install_options_fact. This allows us to
maintain the existing pip_install_options variable without overwriting
it with options when in developer mode, which ultimately means we can
have multiple services running in a container use a combination of
*_developer_mode: true and *_developer_mode: false. At the moment,
if a service writes pip_install_options fact with the constraints
options, those options will persist to other services running in the
container even if *_developer_mode: false.
Change-Id: Ifbc0e3e345e321b908088d3ea7fc1b1041ae084b
Last week, keystone was failing to install in developer mode due to us
not specifying upper constraints. This was due to an upcapped version
of pysaml2 being installed which is causing problems. This commit first
clones the requirements repo and then uses the upper constraints file
when installing packages.
Note that we only update pip_install_options when in developer mode if
the constraints aren't already set. This is because in developer mode
you could have a container with multiple services running on it and the
pip_install_options fact would get updated when already set, resulting
in pip failing to install packages.
Change-Id: If2e7036d02a94bee67df12a610b0110434410777
Partial-Bug: #1553963
This change adds in the nova_api db migration that has to happen
within mitaka. This is a new required DB though the DB entry has
existed since Kilo.
Change:
* The change brings in two new DB create commands as well as an
additional task to execute the nova api_db sync.
* Additionally, new DB tunings were added to the defaults file.
Re-Implementation-Of: https://review.openstack.org/#/c/274932/9
UpgradeImpact
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
Change-Id: If63b541bfaf91333ac5963d391e6058ac8254eec
Deployers with shared storage systems must ensure that the nova
user and group have consistent UID's and GID's respectively. This
patch adds a configurable option for deployers to set a UID/GID
for the nova user and group. Warnings are provided in the
default/main.yml about the potential dangers of adjusting this
value on a production system
Docs and a release note will be proposed separately in the
OpenStack-Ansible main repository for this change.
Closes-Bug: 1544889
Change-Id: I881555a896455ce3c897d56a143a8a25c088880b
This commit adds the ability to install nova without a repo server.
This pattern is lifted from the os_keystone role and allows us to
further develop functional testing for this role.
Change-Id: Ifb1c4140a33dc1d3de7f0f2741e51191efd989db
This change removes the messageing tasks from this role because
they will be relocated into the play in OpenStack-Ansible.
Change-Id: Ied0ae67b2ed0ffc782f7e86911a2060328d9184d
Depends-On: I3016039692d8130654fe1bff422f24ef2afc196e
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
The sudoers file was being created in the pre-install tasks
which causes an incorrect configuration variable to be dropped
when the venv env is not turned on. To correct this issue the
sudoers template is now dropped in the post install task file
after the bin_path fact has been set.
This change also removes the directory create task for heat, keystone,
glance, and swift because no sudoers files are needed for these services.
Re-Implementation-Of: https://review.openstack.org/#/c/277674/1
Change-Id: I609c9c12579dc1897787d19a1f58fe3e919b5e35
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
ansible-lint 2.3.7 added a rule checking for use of the deprecated
'sudo' and 'sudo_user' directives. They have been replaced with 'become'
and 'become_user' respectively.
Change-Id: I2271fe8468840884f19f41abba37e696c6296350
Workarounding the upstream ansible apt module bug
documented here:
https://github.com/ansible/ansible-modules-core/pull/1517
For the next versions of ansible we'll be using, we should
check if the apt bug is fixed. When it's fixed, we could
abandon this change and use the standard apt module
with correct cache handling.
Change-Id: I2aaf00da175f31d0157bbc4ae30a4e176b055078
Deploy user SSL keys for novnc console containers so users viewing
the console in Horizon will be able to access the console over https.
Example configuration:
nova_console_type: novnc
nova_novncproxy_proto: https
nova_console_user_ssl_cert: ~/certs/horizon.pem
nova_console_user_ssl_key: ~/certs/horizon.key
nova_console_user_ssl_ca_cert: "{{ ssl_ca_cert }}"
Change-Id: Icb66631ac0b00afe12519fd742e3198e828a10cc
Currently, if you run the os-nova-install.yml playbook with the
nova-config or nova-install tags, the run will fail as nova_virt_type
is not defined anywhere. This commit updates os_nova/tasks/main.yml by
adding the always tag so that nova_virt_detect.yml is always included.
Change-Id: Id0fdd12aecc63c066da985fbb058cb85926b2ff3
We currently have two issues with venvs:
- if you update your venv on the repo server, it is not possible for
that updated venv to land on the service's container as the get_url
task always skips if the file exists (even if the file is different)
- if you have an updated venv on the repo server and forcefully delete
the cached venv tarball on the service's container, the new tarball
will get unarchived over top of the existing venv
This commit does the following:
- gets the checksum of the /var/cache tarball and downloads checksum
file from repo server
- updates "Attempt venv download" to only download the venv if the
cache doesn't exist or if the local and remote checksums differ
- adds a "force: true" to "Attempt venv download" task so that the venv
tarball will get re-downloaded when the when condition is true (this
is necessary otherwise the download will get skipped since the
destination already exists)
- adds a new task "Remove existing venv" so we can first remove the
venv before we unarchive the potentially new venv from the repo
server
- updates "Create nova venv dir" and "Unarchive pre-built venv"
tasks to only proceed if "nova_get_venv | changed", which
prevents these tasks from running when they the venv tarball hasn't
changed
- adds multiple service restarts to
os_nova/tasks/nova_install.yml so that nova will restart
correctly should the venv/packages update without any associated
config changes
NOTE: The reason why we compare local and remote checksum is to avoid
unnecessarily downloading the venv when the checksums are in fact
the same. On small deploys this is more or less a non-issue but
if a deploy w/ thousands of compute nodes re-runs playbooks we
want to limit the venv downloads when it's unnecessary.
Change-Id: Ibe25126ee38f51fb71f877a54d32dd56d2a8a74d
Extracting the ssh public key using cat and storing the result in a
fact has resulted in periodic failures in the collection of the key,
and thereafter the failure to appropriately place that key into the
authorised_keys file.
This patch changes the collection method to use the Ansible slurp
module which has been found to be more reliable.
Closes-Bug: #1531783
Change-Id: I26340a0c69064f84d9d87f19ce015ba44b6ffa8b
`role_name` is a reserved variable name. Instead, use the explicit
service_role_name variables when adding roles to users.
Change-Id: Ia5fa0e400aeec6d808891c5dd793ee8177d9b5f3
If egrep is not located at /usr/bin/egrep, the os_nova "Get virt type
value and store as var" task will silently fail causing the
nova_virt_type to always default to qemu.
Update the command to include a lookup for the correct path to egrep.
Change-Id: I378b555d157ee3f39d682c3ddadb6e3ffd933503
Closes-Bug: #1531670
When using an LDAP backend the plabooks fail when "ensuring.*"
which is a keystone client action. The reason for the failure is
related to how ldap backend, and is triggered when the service
users are within the ldap and not SQL. To resolve the issue a boolean
conditional was created on the various OS_.* roles to skip specific
tasks when the service users have already been added into LDAP.
Change-Id: I64a8d1e926c54b821f8bfb561a8b6f755bc1ed93
Closes-Bug: #1518351
Closes-Bug: #1519174
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
Ceph python bindings are now available from pypi, so they can be
installed within a venv. Previously we were relying on the bindings
being installed via an apt package and symlinking out of the relevant
venvs into site packages.
This commit also includes a revert for the commit that introduced the
symlinks:
Revert "Symlink ceph libraries out of venv"
This reverts commit a0ab6f7a6efea1dabf5ac006f766c17596a0d10b.
Ceph Bug: http://tracker.ceph.com/issues/5900
Related-Bug: #1509837
Package URL: https://pypi.python.org/pypi/python-cephlibs/0.94.5.post1
Change-Id: Id8a0b8ea810fd9e43f9743bb2572e2b6b0985230
In https://review.openstack.org/243098 nova_virt_type auto-detection
was implemented, but the default nova_virt_type value of kvm was left
in place, resulting in the auto-detection never happening.
This patch implements the auto-detection if nova-virt_type is not set
and removes the default value for nova-virt_type.
Change-Id: Ic1c8f042bc6bbee542373d335f338866efa06dc7
If nova_virt_type variable is not defined in defaults/main.yml,
Using command "egrep -c '(vmx|svm)' /proc/cpuinfo" in
deploy environment, it can easily tell us what the right
virt_type is according to the return value.
If this command returns a value of one or greater, your
compute node supports hardware acceleration and just set
virt_type = kvm.
If this command returns a value of zero, your compute node
does not support hardware acceleration and you must configure
virt_type = qemu instead of kvm.
Change-Id: I6e36ffcb56d50556df0803aea9f4cd7850fada5a
Currently, we install python-rados and python-rbd via apt when ceph
integration is enabled, which causes issues when venvs are used in the
environment. This commit adds a temporary work-around by creating
symlinks in the venv to the installed libraries outside.
There is currently a ceph issue [1] in progress to make this possible,
and once this has been completed we can update ceph_client role to
install python packages instead.
[1] http://tracker.ceph.com/issues/5900
Change-Id: Ia7a3ceae002054fd75e0305892b20ce1143f8dcc
Closes-Bug: #1509837
The change builds venvs in a single repo container and then
ships them to to all targets. The built venvs will be within
the repo servers and will allow for faster deployments,
upgrades, and more consistent deployments for the life cycle
of the deployment.
This will create a versioned tarball that will allow for
greater visablility into the build process as well as giving
deployers/developers the ability to compair a release in
place.
Change-Id: Ieef0b89ebc009d1453c99e19e53a36eb2d70edae
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This review standardises the ownership of the *_venv_dir directories by
ensuring all are created as root instead of using the service's user.
This behaviour already exists in the following roles:
- os_aodh
- os_glance
- os_swift
Change-Id: Idab42b83bece3624271780105f6a937eb88c7491
This commit conditionally allows the os_nova role to
install build and deploy within a venv. This is the new
default behavior of the role however the functionality
can be disabled.
Implements: blueprint enable-venv-support-within-the-roles
Change-Id: I13cf36058d08934a41b24ccf4f1700321ab00547
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
If a cloned repo contains local modifications, the clone task will
fail. This ensures any local modifications are discarded, ensuring a
successful clone.
Change-Id: Ic5799fe07e15739cc11acabba803e3be47606f94
Closes-Bug: #1506590
This patch includes the following updates based on the updated
source in Nova's Liberty release:
- api-paste.ini
- policy.json
- rootwrap.d/compute.filters
- rootwrap.d/network.filters
The Nova S3 and v3 API's have been removed in Liberty, so all
related variables and configuration file entries have been
removed.
The Nova EC2 API is deprecated in Liberty. All related variables in
OpenStack-Ansible and configuration files have been removed as all
deployers are recommended to make use of the actively developed
replacement: https://github.com/stackforge/ec2-api
The Nova v2 and v1.1 API's are enabled using the upstream default
compatibility layer. Neither of these versions will be registered in
the service catalog.
The default API version is set to v2.1. For new environments, no
other API versions are registered in the service catalog.
The following variables have been removed:
- S3 API
- nova_s3_service_name
- nova_s3_service_type
- nova_s3_service_proto
- nova_s3_service_publicuri_proto
- nova_s3_service_adminuri_proto
- nova_s3_service_internaluri_proto
- nova_s3_service_port
- nova_s3_service_description
- nova_s3_service_publicuri
- nova_s3_service_publicurl
- nova_s3_service_adminuri
- nova_s3_service_adminurl
- nova_s3_service_internaluri
- nova_s3_service_internalurl
- nova_s3_program_name
- nova_s3_deprecated_but_enabled
- EC2 API
- nova_ec2_service_name
- nova_ec2_service_type
- nova_ec2_service_proto
- nova_ec2_service_publicuri_proto
- nova_ec2_service_adminuri_proto
- nova_ec2_service_internaluri_proto
- nova_ec2_service_port
- nova_ec2_service_description
- nova_ec2_service_publicuri
- nova_ec2_service_publicurl
- nova_ec2_service_adminuri
- nova_ec2_service_adminurl
- nova_ec2_service_internaluri
- nova_ec2_service_internalurl
- nova_ec2_program_name
- nova_ec2_deprecated_but_enabled
- v3 API
- nova_v3_service_name
- nova_v3_service_type
- nova_v3_service_proto
- nova_v3_service_publicuri_proto
- nova_v3_service_adminuri_proto
- nova_v3_service_internaluri_proto
- nova_v3_service_port
- nova_v3_service_description
- nova_v3_service_publicuri
- nova_v3_service_publicurl
- nova_v3_service_adminuri
- nova_v3_service_adminurl
- nova_v3_service_internaluri
- nova_v3_service_internalurl
- nova_v3_deprecated_but_enabled
- v2.1 API
- nova_v21_service_name -> nova_service_name
- nova_v21_service_type -> nova_service_type
- nova_v21_service_proto -> nova_service_proto
- nova_v21_service_publicuri_proto -> nova_service_publicuri_proto
- nova_v21_service_adminuri_proto -> nova_service_adminuri_proto
- nova_v21_service_internaluri_proto -> nova_service_internaluri_proto
- nova_v21_service_port -> nova_service_port
- nova_v21_service_description -> nova_service_description
- nova_v21_service_publicuri -> nova_service_publicuri
- nova_v21_service_publicurl -> nova_service_publicurl
- nova_v21_service_adminuri -> nova_service_adminuri
- nova_v21_service_adminurl -> nova_service_adminurl
- nova_v21_service_internaluri -> nova_service_internaluri
- nova_v21_service_internalurl -> nova_service_internalurl
- nova_v21_enabled
DocImpact
UpgradeImpact
Implements: blueprint liberty-release
Change-Id: Ie5a42059c10e7fd0bfc4dba8d87dea3f32db968e
'ws://' is currently hardcoded within the spice_auto.html file included
in the packaged release of spice-html5, raising a security error when
accessing consoles over HTTPS.
Remove the existing apt package and install spice-html5 from source
instead since this issue has been corrected as of spice-html5-0.1.6.
Change-Id: Ie308a477143037963f903f2ac21b2b1f0328fcb3
Partial-Bug: #1424797
