From 623f9fe20df066ac28b48a45f4360775563ec2db Mon Sep 17 00:00:00 2001 From: stackhpc-ci <22933334+stackhpc-ci@users.noreply.github.com> Date: Fri, 24 Jan 2025 10:57:05 +0000 Subject: [PATCH 001/187] feat: automatic update of workflows stackhpc/master --- .github/workflows/tag-and-release.yml | 12 ++++++++++++ .github/workflows/tox.yml | 7 +++++++ 2 files changed, 19 insertions(+) create mode 100644 .github/workflows/tag-and-release.yml create mode 100644 .github/workflows/tox.yml diff --git a/.github/workflows/tag-and-release.yml b/.github/workflows/tag-and-release.yml new file mode 100644 index 000000000..cff2f940d --- /dev/null +++ b/.github/workflows/tag-and-release.yml @@ -0,0 +1,12 @@ +--- +name: Tag & Release +'on': + push: + branches: + - stackhpc/master +permissions: + actions: read + contents: write +jobs: + tag-and-release: + uses: stackhpc/.github/.github/workflows/tag-and-release.yml@main diff --git a/.github/workflows/tox.yml b/.github/workflows/tox.yml new file mode 100644 index 000000000..8713f0e02 --- /dev/null +++ b/.github/workflows/tox.yml @@ -0,0 +1,7 @@ +--- +name: Tox Continuous Integration +'on': + pull_request: +jobs: + tox: + uses: stackhpc/.github/.github/workflows/tox.yml@main From 1d1397efdeb73a5b1c33b736852895264fc82ffe Mon Sep 17 00:00:00 2001 From: stackhpc-ci <22933334+stackhpc-ci@users.noreply.github.com> Date: Fri, 24 Jan 2025 10:57:33 +0000 Subject: [PATCH 002/187] feat: automatic update of community files stackhpc/master --- .github/CODEOWNERS | 1 + 1 file changed, 1 insertion(+) create mode 100644 .github/CODEOWNERS diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 000000000..e9a948a0d --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1 @@ +* @stackhpc/kayobe From c745cc1260b78f0f83dce0c5f4dba7c47c677486 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Wed, 8 Jan 2025 11:25:51 +0000 Subject: [PATCH 003/187] Fix slurp upgrades due to 2023.1 branch name change stable/2023.1 has been renamed to unmaintained/2023.1 Change-Id: I6ea69b21b22f130fc2e4532c72b1790511bb89b1 (cherry picked from commit 9da82a952ddfb585aeefc5d4d79933738591fe4b) --- playbooks/kayobe-base/pre.yml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/playbooks/kayobe-base/pre.yml b/playbooks/kayobe-base/pre.yml index 45bf2f643..e67e2ac4c 100644 --- a/playbooks/kayobe-base/pre.yml +++ b/playbooks/kayobe-base/pre.yml @@ -82,7 +82,9 @@ kayobe_galaxy_requirements_src_dir: "{{ kolla_ansible_src_dir }}" kayobe_galaxy_requirements_dest_path: "/tmp/kolla-ansible-requirements.yml" - - block: + - vars: + branch_prefix: "{{ 'unmaintained' if previous_release | lower == '2023.1' else 'stable' }}" + block: - name: Ensure previous kayobe directory exists file: path: "{{ previous_kayobe_src_dir }}" @@ -90,7 +92,7 @@ - name: Ensure previous kayobe repository is cloned command: >- - git clone {{ kayobe_src_dir }} {{ previous_kayobe_src_dir }} -b stable/{{ previous_release | lower }} + git clone {{ kayobe_src_dir }} {{ previous_kayobe_src_dir }} -b {{ branch_prefix }}/{{ previous_release | lower }} - name: Ensure previous kayobe-config directory exists file: @@ -99,7 +101,7 @@ - name: Ensure kayobe-config repository is cloned command: >- - git clone {{ kayobe_config_src_dir }} {{ previous_kayobe_config_src_dir }} -b stable/{{ previous_release | lower }} + git clone {{ kayobe_config_src_dir }} {{ previous_kayobe_config_src_dir }} -b {{ branch_prefix }}/{{ previous_release | lower }} - name: Ensure previous kolla-ansible directory exists file: @@ -108,7 +110,7 @@ - name: Ensure previous kolla-ansible repository is cloned command: >- - git clone {{ kolla_ansible_src_dir }} {{ previous_kolla_ansible_src_dir }} -b stable/{{ previous_release | lower }} + git clone {{ kolla_ansible_src_dir }} {{ previous_kolla_ansible_src_dir }} -b {{ branch_prefix }}/{{ previous_release | lower }} - name: Ensure previous kayobe is executed in verbose mode lineinfile: @@ -121,14 +123,14 @@ name: kayobe-galaxy-requirements vars: kayobe_galaxy_requirements_src_dir: "{{ previous_kayobe_src_dir }}" - kayobe_galaxy_requirements_branch: "stable/{{ previous_release | lower }}" + kayobe_galaxy_requirements_branch: "{{ branch_prefix }}/{{ previous_release | lower }}" - name: Update kolla-ansible requirements.yml include_role: name: kayobe-galaxy-requirements vars: kayobe_galaxy_requirements_src_dir: "{{ previous_kolla_ansible_src_dir }}" - kayobe_galaxy_requirements_branch: "stable/{{ previous_release | lower }}" + kayobe_galaxy_requirements_branch: "{{ branch_prefix }}/{{ previous_release | lower }}" kayobe_galaxy_requirements_dest_path: "/tmp/previous-kolla-ansible-requirements.yml" when: is_upgrade From bfd8f1ebf353dcc410b0cdc105c172475f81f446 Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Wed, 29 Jan 2025 17:29:38 +0100 Subject: [PATCH 004/187] Add ovn-sb-db-relay Ansible group in overcloud Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/939331 Change-Id: I794a62841aa84d3a576f376bd0cfd3ae47b1f77a (cherry picked from commit 0ed034daee5597e6c0dd22a04d33e4a56da17cf1) --- ansible/roles/kolla-ansible/templates/overcloud-services.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ansible/roles/kolla-ansible/templates/overcloud-services.j2 b/ansible/roles/kolla-ansible/templates/overcloud-services.j2 index 11144e40e..efeb4a6e6 100644 --- a/ansible/roles/kolla-ansible/templates/overcloud-services.j2 +++ b/ansible/roles/kolla-ansible/templates/overcloud-services.j2 @@ -453,6 +453,9 @@ ovn-database [ovn-sb-db:children] ovn-database +[ovn-sb-db-relay:children] +ovn-database + [venus-api:children] venus From 1ad6e395d185582e587ff200a28597de462b2c70 Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Thu, 30 Jan 2025 16:48:47 +0100 Subject: [PATCH 005/187] Add ovn_sb_db_relay feature flag (cherry picked from commit f195e4fca87fd29ab39b4f166d49dfc50e94a557) --- ansible/roles/kolla-ansible/vars/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible/roles/kolla-ansible/vars/main.yml b/ansible/roles/kolla-ansible/vars/main.yml index 750e13609..17015fcc7 100644 --- a/ansible/roles/kolla-ansible/vars/main.yml +++ b/ansible/roles/kolla-ansible/vars/main.yml @@ -200,6 +200,7 @@ kolla_feature_flags: - openvswitch - osprofiler - ovn + - ovn_sb_db_relay - ovs_dpdk - placement - prometheus From 0eb358d3e4419a6079a81dd0cdc99e208e4614b2 Mon Sep 17 00:00:00 2001 From: Jack Hodgkiss Date: Fri, 21 Feb 2025 15:53:39 +0000 Subject: [PATCH 006/187] Add support for making `Bifrost` optional Add `kolla_enable_bifrost` to make deploying Bifrost optional. It defaults to `true` maintaining the current behavior. Change-Id: I7c5ac03b3ceb3f558480044f385636936df90f8f --- ansible/inventory/group_vars/all/bifrost | 3 + ansible/kolla-bifrost.yml | 2 + ansible/roles/kolla-ansible/defaults/main.yml | 6 ++ ansible/roles/kolla-ansible/templates/seed.j2 | 2 + ansible/seed-credentials.yml | 69 ++++++++++--------- ansible/seed-introspection-rules.yml | 1 + etc/kayobe/bifrost.yml | 3 + etc/kayobe/kolla.yml | 1 + ...ake-bifrost-optional-32d89388cb2e578e.yaml | 5 ++ 9 files changed, 59 insertions(+), 33 deletions(-) create mode 100644 releasenotes/notes/make-bifrost-optional-32d89388cb2e578e.yaml diff --git a/ansible/inventory/group_vars/all/bifrost b/ansible/inventory/group_vars/all/bifrost index 4d2e41aec..d9bfe0013 100644 --- a/ansible/inventory/group_vars/all/bifrost +++ b/ansible/inventory/group_vars/all/bifrost @@ -4,6 +4,9 @@ ############################################################################### # Bifrost installation. +# Whether to install Bifrost. Default is true. +kolla_enable_bifrost: true + # URL of Bifrost source code repository. kolla_bifrost_source_url: "https://opendev.org/openstack/bifrost" diff --git a/ansible/kolla-bifrost.yml b/ansible/kolla-bifrost.yml index b22c9eb42..ea2029098 100644 --- a/ansible/kolla-bifrost.yml +++ b/ansible/kolla-bifrost.yml @@ -17,3 +17,5 @@ kolla_bifrost_config_paths_static: - "{{ kayobe_config_path }}" kolla_bifrost_config_paths_extra: "{{ kolla_bifrost_config_paths_static + kayobe_env_search_paths }}" + kolla_bifrost_config_files: + when: kolla_enable_bifrost | bool diff --git a/ansible/roles/kolla-ansible/defaults/main.yml b/ansible/roles/kolla-ansible/defaults/main.yml index 340060844..cd215c020 100644 --- a/ansible/roles/kolla-ansible/defaults/main.yml +++ b/ansible/roles/kolla-ansible/defaults/main.yml @@ -317,3 +317,9 @@ kolla_https_proxy: # List of domains, hostnames, IP addresses and networks for which no proxy is # used. kolla_no_proxy: + +############################################################################### +# Bifrost configuration + +# Whether to install Bifrost. Default is true. +kolla_enable_bifrost: true diff --git a/ansible/roles/kolla-ansible/templates/seed.j2 b/ansible/roles/kolla-ansible/templates/seed.j2 index 18aa56610..c19398c7b 100644 --- a/ansible/roles/kolla-ansible/templates/seed.j2 +++ b/ansible/roles/kolla-ansible/templates/seed.j2 @@ -15,4 +15,6 @@ ansible_python_interpreter={{ kolla_ansible_target_venv }}/bin/python seed [bifrost:children] +{% if kolla_enable_bifrost | bool %} seed +{% endif %} diff --git a/ansible/seed-credentials.yml b/ansible/seed-credentials.yml index a5f6e393c..7d8cadf7e 100644 --- a/ansible/seed-credentials.yml +++ b/ansible/seed-credentials.yml @@ -9,39 +9,42 @@ vars: openstack_config_dir: "{{ ansible_facts.env.HOME }}/.config/openstack" tasks: - - name: Ensure OpenStack config directory exists - file: - path: "{{ openstack_config_dir }}" - state: directory - mode: 0700 + - name: Ensure credentials are available on the host + when: kolla_enable_bifrost | bool + block: + - name: Ensure OpenStack config directory exists + file: + path: "{{ openstack_config_dir }}" + state: directory + mode: 0700 - - name: Get clouds.yaml from Bifrost container - command: - cmd: "{{ container_engine }} exec bifrost_deploy cat /root/.config/openstack/clouds.yaml" - changed_when: false - register: clouds_yaml - no_log: true - become: "{{ container_engine == 'podman' }}" + - name: Get clouds.yaml from Bifrost container + command: + cmd: "{{ container_engine }} exec bifrost_deploy cat /root/.config/openstack/clouds.yaml" + changed_when: false + register: clouds_yaml + no_log: true + become: "{{ container_engine == 'podman' }}" - - name: Write clouds.yaml - copy: - content: | - {%- set clouds = clouds_yaml.stdout | from_yaml -%} - {%- for cloud in clouds.clouds.keys() | list -%} - {%- if 'cacert' in clouds.clouds[cloud] -%} - {%- set _ = clouds.clouds[cloud].update({'cacert': openstack_config_dir ~ '/bifrost.crt'}) -%} - {%- endif -%} - {%- endfor -%} - {{ clouds | to_nice_yaml }} - dest: "{{ openstack_config_dir }}/clouds.yaml" - mode: 0600 + - name: Write clouds.yaml + copy: + content: | + {%- set clouds = clouds_yaml.stdout | from_yaml -%} + {%- for cloud in clouds.clouds.keys() | list -%} + {%- if 'cacert' in clouds.clouds[cloud] -%} + {%- set _ = clouds.clouds[cloud].update({'cacert': openstack_config_dir ~ '/bifrost.crt'}) -%} + {%- endif -%} + {%- endfor -%} + {{ clouds | to_nice_yaml }} + dest: "{{ openstack_config_dir }}/clouds.yaml" + mode: 0600 - - name: Copy CA certificate from Bifrost container - vars: - clouds: "{{ clouds_yaml.stdout | from_yaml }}" - cacerts: "{{ clouds.clouds.values() | selectattr('cacert', 'defined') | map(attribute='cacert') | list }}" - command: - cmd: "{{ container_engine }} cp bifrost_deploy:{{ cacerts[0] }} {{ openstack_config_dir }}/bifrost.crt" - changed_when: false - when: cacerts | length > 0 - become: "{{ container_engine == 'podman' }}" + - name: Copy CA certificate from Bifrost container + vars: + clouds: "{{ clouds_yaml.stdout | from_yaml }}" + cacerts: "{{ clouds.clouds.values() | selectattr('cacert', 'defined') | map(attribute='cacert') | list }}" + command: + cmd: "{{ container_engine }} cp bifrost_deploy:{{ cacerts[0] }} {{ openstack_config_dir }}/bifrost.crt" + changed_when: false + when: cacerts | length > 0 + become: "{{ container_engine == 'podman' }}" diff --git a/ansible/seed-introspection-rules.yml b/ansible/seed-introspection-rules.yml index 2ceb050cb..577cb6861 100644 --- a/ansible/seed-introspection-rules.yml +++ b/ansible/seed-introspection-rules.yml @@ -20,3 +20,4 @@ inspector_rule_var_deploy_kernel: "{{ kolla_bifrost_inspector_deploy_kernel }}" inspector_rule_var_deploy_ramdisk: "{{ kolla_bifrost_inspector_deploy_ramdisk }}" inspector_rule_var_legacy_deploy_kernel: "{{ kolla_bifrost_inspector_legacy_deploy_kernel }}" + when: kolla_enable_bifrost | bool diff --git a/etc/kayobe/bifrost.yml b/etc/kayobe/bifrost.yml index 741bbd8ca..d9c2e1e9a 100644 --- a/etc/kayobe/bifrost.yml +++ b/etc/kayobe/bifrost.yml @@ -4,6 +4,9 @@ ############################################################################### # Bifrost installation. +# Whether to install Bifrost. Default is true. +#kolla_enable_bifrost: + # URL of Bifrost source code repository. #kolla_bifrost_source_url: diff --git a/etc/kayobe/kolla.yml b/etc/kayobe/kolla.yml index df44161d8..ce69e6ce1 100644 --- a/etc/kayobe/kolla.yml +++ b/etc/kayobe/kolla.yml @@ -280,6 +280,7 @@ #kolla_enable_aodh: #kolla_enable_barbican: +#kolla_enable_bifrost: #kolla_enable_blazar: #kolla_enable_ceilometer: #kolla_enable_ceilometer_horizon_policy_file: diff --git a/releasenotes/notes/make-bifrost-optional-32d89388cb2e578e.yaml b/releasenotes/notes/make-bifrost-optional-32d89388cb2e578e.yaml new file mode 100644 index 000000000..296146988 --- /dev/null +++ b/releasenotes/notes/make-bifrost-optional-32d89388cb2e578e.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Add `kolla_enable_bifrost` to make deploying Bifrost optional. It + defaults to `true` maintaining the current behavior. From 605309805151f510bd6e6218e87abdbb8b8c13ad Mon Sep 17 00:00:00 2001 From: Grzegorz Koper Date: Tue, 25 Mar 2025 16:27:28 +0100 Subject: [PATCH 007/187] Bump up Ansible supported versions to 11.x/12.x This change bumps up the maximum supported version of Ansible to 12.x (ansible-core 2.18.x) and minimum to 11.x (ansible-core 2.17.x). Change-Id: I1c4aa7f22a9cfa6d2c1abad8efaca880572a0bdf --- ansible/roles/kolla-ansible/defaults/main.yml | 2 +- releasenotes/notes/bump-ansible-11-12-0eaf6b997b716ba4.yaml | 6 ++++++ requirements.txt | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/bump-ansible-11-12-0eaf6b997b716ba4.yaml diff --git a/ansible/roles/kolla-ansible/defaults/main.yml b/ansible/roles/kolla-ansible/defaults/main.yml index 340060844..8474be5ba 100644 --- a/ansible/roles/kolla-ansible/defaults/main.yml +++ b/ansible/roles/kolla-ansible/defaults/main.yml @@ -26,7 +26,7 @@ kolla_ansible_venv_extra_requirements: [] # tested code. Changes to this limit should be tested. It is possible to only # install ansible-core by setting kolla_ansible_venv_ansible to None. kolla_ansible_venv_ansible: -kolla_ansible_venv_ansible_core: 'ansible-core>=2.16,<2.18' +kolla_ansible_venv_ansible_core: 'ansible-core>=2.17,<2.19' # Path to a requirements.yml file for Ansible collections. kolla_ansible_requirements_yml: "{{ kolla_ansible_venv }}/share/kolla-ansible/requirements.yml" diff --git a/releasenotes/notes/bump-ansible-11-12-0eaf6b997b716ba4.yaml b/releasenotes/notes/bump-ansible-11-12-0eaf6b997b716ba4.yaml new file mode 100644 index 000000000..19075d47f --- /dev/null +++ b/releasenotes/notes/bump-ansible-11-12-0eaf6b997b716ba4.yaml @@ -0,0 +1,6 @@ +--- + upgrade: + - | + Updates the maximum supported version of Ansible from 11 (ansible-core + 2.17) to 12 (ansible-core 2.18). The minimum supported version is updated + from 9.x to 10.x. This is true for both Kayobe and Kolla Ansible. diff --git a/requirements.txt b/requirements.txt index dee34cc51..c4141c12d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,6 +1,6 @@ pbr>=2.0 # Apache-2.0 Jinja2>3 # BSD -ansible>=9,<11 # GPLv3 +ansible>=10,<12 # GPLv3 cliff>=3.1.0 # Apache netaddr!=0.7.16,>=0.7.13 # BSD PyYAML>=3.10.0 # MIT From 3b3835d26c6318c428f8801c2e52f6302b99486a Mon Sep 17 00:00:00 2001 From: OpenStack Release Bot Date: Tue, 20 May 2025 13:52:08 +0000 Subject: [PATCH 008/187] Update master for stable/2025.1 Add file to the reno documentation build to show release notes for stable/2025.1. Use pbr instruction to increment the minor version number automatically so that master versions are higher than the versions on stable/2025.1. Sem-Ver: feature Change-Id: I7e94a2d048a30ecc330be4cb5759e008353881f9 --- releasenotes/source/2025.1.rst | 6 ++++++ releasenotes/source/index.rst | 1 + 2 files changed, 7 insertions(+) create mode 100644 releasenotes/source/2025.1.rst diff --git a/releasenotes/source/2025.1.rst b/releasenotes/source/2025.1.rst new file mode 100644 index 000000000..3add0e53a --- /dev/null +++ b/releasenotes/source/2025.1.rst @@ -0,0 +1,6 @@ +=========================== +2025.1 Series Release Notes +=========================== + +.. release-notes:: + :branch: stable/2025.1 diff --git a/releasenotes/source/index.rst b/releasenotes/source/index.rst index 97ae9bdb6..4a413860a 100644 --- a/releasenotes/source/index.rst +++ b/releasenotes/source/index.rst @@ -6,6 +6,7 @@ Kayobe Release Notes :maxdepth: 1 unreleased + 2025.1 2024.2 2024.1 2023.2 From 5b2317418f7ae207d9ebab686f94bbb693d6b5d3 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 21 May 2025 10:14:06 +0000 Subject: [PATCH 009/187] Revert "[release] Use OpenStack 2025.1 release" This reverts commit 3c916b3e95b403f6aef12dda32a055935c9be477. Reason for revert: 2025.1 has been branched and released Change-Id: I79ba209ad2d9b444360cac34da3d0ed5db45bbd0 --- ansible/inventory/group_vars/all/openstack | 6 +++--- etc/kayobe/openstack.yml | 4 ++-- requirements.yml | 2 +- tox.ini | 10 +++++----- zuul.d/jobs.yaml | 8 -------- 5 files changed, 11 insertions(+), 19 deletions(-) diff --git a/ansible/inventory/group_vars/all/openstack b/ansible/inventory/group_vars/all/openstack index e0cb9f783..e2525ac78 100644 --- a/ansible/inventory/group_vars/all/openstack +++ b/ansible/inventory/group_vars/all/openstack @@ -2,10 +2,10 @@ ############################################################################### # OpenStack release configuration. -# Name of the current OpenStack release. Default is "2025.1". -openstack_release: "2025.1" +# Name of the current OpenStack release. Default is "master". +openstack_release: "master" -# Name of the current OpenStack branch. Default is "stable/2025.1". +# Name of the current OpenStack branch. Default is "master". openstack_branch: >- {% if openstack_release != 'master' %}stable/{% endif %}{{ openstack_release | lower }} diff --git a/etc/kayobe/openstack.yml b/etc/kayobe/openstack.yml index 081e4be24..1acfd0756 100644 --- a/etc/kayobe/openstack.yml +++ b/etc/kayobe/openstack.yml @@ -2,10 +2,10 @@ ############################################################################### # OpenStack release configuration. -# Name of the current OpenStack release. Default is "2025.1". +# Name of the current OpenStack release. Default is "master". #openstack_release: -# Name of the current OpenStack branch. Default is "stable/2025.1". +# Name of the current OpenStack branch. Default is "master". #openstack_branch: ############################################################################### diff --git a/requirements.yml b/requirements.yml index a6739af7a..11b2b0025 100644 --- a/requirements.yml +++ b/requirements.yml @@ -2,7 +2,7 @@ collections: - name: https://opendev.org/openstack/ansible-collection-kolla type: git - version: stable/2025.1 + version: master - name: community.docker version: 3.11.0 - name: dellemc.os10 diff --git a/tox.ini b/tox.ini index 80c823aac..4acf49860 100644 --- a/tox.ini +++ b/tox.ini @@ -18,7 +18,7 @@ setenv = OS_STDERR_CAPTURE=1 OS_TEST_TIMEOUT=60 deps = - -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/2025.1} + -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} -r{toxinidir}/requirements.txt -r{toxinidir}/test-requirements.txt commands = stestr run {posargs} @@ -26,7 +26,7 @@ commands = stestr run {posargs} [testenv:pep8] # sphinx8 needs the sphinx package which is required via doc/requirements.txt deps = - -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/2025.1} + -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} -r{toxinidir}/requirements.txt -r{toxinidir}/doc/requirements.txt -r{toxinidir}/test-requirements.txt @@ -41,7 +41,7 @@ commands = [testenv:venv] deps = - -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/2025.1} + -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} -r{toxinidir}/test-requirements.txt -r{toxinidir}/doc/requirements.txt commands = {posargs} @@ -59,7 +59,7 @@ commands = [testenv:molecule] deps = - -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/2025.1} + -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} -r{toxinidir}/requirements.txt -r{toxinidir}/molecule-requirements.txt commands = @@ -110,7 +110,7 @@ commands = [testenv:docs] deps = - -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/2025.1} + -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} -r{toxinidir}/doc/requirements.txt commands = rm -rf doc/build/html diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index 3dee43bce..622518e04 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -71,19 +71,11 @@ required-projects: # Include kayobe to ensure other projects can use this job. - name: openstack/ansible-collection-kolla - # TODO(priteau): Remove when kayobe stable/2025.1 exists. - override-checkout: stable/2025.1 - name: openstack/kayobe - name: openstack/kayobe-config-dev - name: openstack/kolla - # TODO(priteau): Remove when kayobe stable/2025.1 exists. - override-checkout: stable/2025.1 - name: openstack/kolla-ansible - # TODO(priteau): Remove when kayobe stable/2025.1 exists. - override-checkout: stable/2025.1 - name: openstack/requirements - # TODO(priteau): Remove when kayobe stable/2025.1 exists. - override-checkout: stable/2025.1 - name: openstack/tenks irrelevant-files: - ^\..+ From 8b8c1f070338bddc1d01cb7bbadf3d5eef0b711a Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 21 May 2025 12:23:13 +0200 Subject: [PATCH 010/187] CI: Remove openstack-tox-py39 override OpenStack 2025.2 drops support for Python 3.9 [1], so we can finally revert to the default openstack-python3-jobs template. [1] https://governance.openstack.org/tc/reference/runtimes/2025.2.html Change-Id: I0477b21a77bc04db3a443f40c4517d3143bc544b --- zuul.d/project.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 76783e56e..a790e711c 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -8,9 +8,6 @@ - release-notes-jobs-python3 check: jobs: - - openstack-tox-py39: - #NOTE(wszumski): We have dropped python3.9 support, so disable this job. - files: THIS-JOB-IS-DISABLED - kayobe-tox-ansible-syntax - kayobe-tox-ansible - kayobe-tox-molecule @@ -41,9 +38,6 @@ - kayobe-infra-vm-ubuntu-noble gate: jobs: - - openstack-tox-py39: - #NOTE(wszumski): We have dropped python3.9 support, so disable this job. - files: THIS-JOB-IS-DISABLED - kayobe-tox-ansible-syntax - kayobe-tox-ansible - kayobe-tox-molecule From cdba0957b8544ff163df904c7cb6b07d6a3e0f79 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 21 May 2025 13:30:39 +0200 Subject: [PATCH 011/187] CI: Update command to match allowlist_externals Invoking /bin/bash in the alint tox enviroment fails because it is absent from allowlist_externals. Use bash instead. Change-Id: I08e379da67fa0548428cb999c23f0751df0cbe0c --- tox.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tox.ini b/tox.ini index 1d9a45ee9..80c823aac 100644 --- a/tox.ini +++ b/tox.ini @@ -70,7 +70,7 @@ commands = bash -c "source {envdir}/bin/activate && {toxinidir}/tools/test-molecule.sh {posargs}" [testenv:alint] -commands = /bin/bash -c "ansible-lint {toxinidir}/ansible/*.yml" +commands = bash -c "ansible-lint {toxinidir}/ansible/*.yml" [testenv:ansible-syntax] commands = From 4e2220bb6cd2b0e6d6e8a2106113ec25db55c3a3 Mon Sep 17 00:00:00 2001 From: Michal Arbet Date: Thu, 22 May 2025 22:23:24 +0200 Subject: [PATCH 012/187] Fix compatibility with Kolla virtualenv configuration This change updates how Kayobe handles Python virtual environments to ensure compatibility with the virtualenv handling used in kolla-ansible [1] and ansible-collection-kolla [2]. Summary: - Removes hardcoded 'ansible_python_interpreter' from templates. - Introduces support for the 'virtualenv' variable used by SDK roles. - Enables cleaner and more consistent interpreter selection. [1] https://review.opendev.org/c/openstack/kolla-ansible/+/949812 [2] https://review.opendev.org/c/openstack/ansible-collection-kolla/+/949767 Closes-Bug: #2111594 Change-Id: I7cfb600eec268749ea1315112fe3a9429ab3ab8e --- ansible/kayobe-target-venv.yml | 2 +- ansible/roles/kolla-ansible/templates/kolla/globals.yml | 8 ++++++++ .../roles/kolla-ansible/templates/overcloud-components.j2 | 1 + .../roles/kolla-ansible/templates/overcloud-top-level.j2 | 5 ----- ansible/roles/kolla-ansible/templates/seed.j2 | 2 +- releasenotes/notes/bug-2111594-656e035ece40fbf6.yaml | 7 +++++++ 6 files changed, 18 insertions(+), 7 deletions(-) create mode 100644 releasenotes/notes/bug-2111594-656e035ece40fbf6.yaml diff --git a/ansible/kayobe-target-venv.yml b/ansible/kayobe-target-venv.yml index 53c0ef0c2..1ca845c0e 100644 --- a/ansible/kayobe-target-venv.yml +++ b/ansible/kayobe-target-venv.yml @@ -85,7 +85,7 @@ vars: # Use the system python interpreter since the virtualenv might not # exist. - ansible_python_interpreter: /usr/bin/python3 + ansible_python_interpreter: "{{ ansible_facts.python.executable }}" when: virtualenv is defined # If we gathered facts earlier it would have been with a different Python diff --git a/ansible/roles/kolla-ansible/templates/kolla/globals.yml b/ansible/roles/kolla-ansible/templates/kolla/globals.yml index 4ac8a9c45..31215b3c2 100644 --- a/ansible/roles/kolla-ansible/templates/kolla/globals.yml +++ b/ansible/roles/kolla-ansible/templates/kolla/globals.yml @@ -505,6 +505,14 @@ ironic_inspector_kernel_cmdline_extras: grafana_admin_username: "{{ grafana_local_admin_user_name }}" {% endif %} +########################### +# Target python environment +########################### +{% if kolla_ansible_target_venv is not none %} +# Execute ansible modules on the remote target hosts using a virtualenv. +virtualenv: "{{ kolla_ansible_target_venv }}" +{% endif %} + {% if kolla_extra_globals %} ####################### # Extra configuration diff --git a/ansible/roles/kolla-ansible/templates/overcloud-components.j2 b/ansible/roles/kolla-ansible/templates/overcloud-components.j2 index c6c193f66..0ef0a176c 100644 --- a/ansible/roles/kolla-ansible/templates/overcloud-components.j2 +++ b/ansible/roles/kolla-ansible/templates/overcloud-components.j2 @@ -11,6 +11,7 @@ network compute storage monitoring +bifrost [tls-backend:children] control diff --git a/ansible/roles/kolla-ansible/templates/overcloud-top-level.j2 b/ansible/roles/kolla-ansible/templates/overcloud-top-level.j2 index 26953081f..c0efff9e8 100644 --- a/ansible/roles/kolla-ansible/templates/overcloud-top-level.j2 +++ b/ansible/roles/kolla-ansible/templates/overcloud-top-level.j2 @@ -23,11 +23,6 @@ ansible_user={{ kolla_ansible_user }} {% if kolla_ansible_become | bool %} ansible_become=true {% endif %} -{% if kolla_ansible_target_venv is not none %} -# Execute ansible modules on the remote target hosts using a virtualenv. -ansible_python_interpreter={{ kolla_ansible_target_venv }}/bin/python -{% endif %} - {% for kolla_group, kolla_group_config in kolla_overcloud_inventory_top_level_group_map.items() %} {% if 'groups' in kolla_group_config %} diff --git a/ansible/roles/kolla-ansible/templates/seed.j2 b/ansible/roles/kolla-ansible/templates/seed.j2 index 18aa56610..fc72fb734 100644 --- a/ansible/roles/kolla-ansible/templates/seed.j2 +++ b/ansible/roles/kolla-ansible/templates/seed.j2 @@ -8,7 +8,7 @@ ansible_user={{ kolla_ansible_user }} {% if kolla_ansible_target_venv is not none %} # Execute ansible modules on the remote target hosts using a virtualenv. -ansible_python_interpreter={{ kolla_ansible_target_venv }}/bin/python +virtualenv={{ kolla_ansible_target_venv }} {% endif %} [baremetal:children] diff --git a/releasenotes/notes/bug-2111594-656e035ece40fbf6.yaml b/releasenotes/notes/bug-2111594-656e035ece40fbf6.yaml new file mode 100644 index 000000000..f19ce5c55 --- /dev/null +++ b/releasenotes/notes/bug-2111594-656e035ece40fbf6.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + Fixes incorrect handling of ``ansible_python_interpreter`` when using + ``ansible-collection-kolla``. Kayobe now aligns its behavior with + ``kolla-ansible`` to ensure the correct interpreter is used. + `LP#2111594 `__ From e3cb2e1149eb9649beeee335caa3289587dab22f Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Mon, 26 May 2025 18:38:02 +0200 Subject: [PATCH 013/187] CI: remove SLURP jobs for F cycle Flamingo is not a SLURP release. [1] [1] https://releases.openstack.org Change-Id: I14e7d7a5b4e3a2f66cf15d3ab0c9a11cf9833f3e --- zuul.d/project.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 76783e56e..0892861dd 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -23,8 +23,6 @@ - kayobe-overcloud-host-configure-ubuntu-noble - kayobe-overcloud-upgrade-rocky9 - kayobe-overcloud-upgrade-ubuntu-noble - - kayobe-overcloud-upgrade-slurp-rocky9 - - kayobe-overcloud-upgrade-slurp-ubuntu-noble - kayobe-seed-rocky9 - kayobe-seed-rocky9-podman - kayobe-seed-ubuntu-noble @@ -32,7 +30,6 @@ - kayobe-seed-images-rocky9 - kayobe-seed-upgrade-rocky9 - kayobe-seed-upgrade-ubuntu-noble - - kayobe-seed-upgrade-slurp-rocky9 - kayobe-seed-vm-rocky9 - kayobe-seed-vm-rocky9-efi - kayobe-seed-vm-ubuntu-noble @@ -56,15 +53,12 @@ - kayobe-overcloud-host-configure-ubuntu-noble - kayobe-overcloud-upgrade-rocky9 - kayobe-overcloud-upgrade-ubuntu-noble - - kayobe-overcloud-upgrade-slurp-rocky9 - - kayobe-overcloud-upgrade-slurp-ubuntu-noble - kayobe-seed-rocky9 - kayobe-seed-rocky9-podman - kayobe-seed-ubuntu-noble - kayobe-seed-ubuntu-noble-podman - kayobe-seed-upgrade-rocky9 - kayobe-seed-upgrade-ubuntu-noble - - kayobe-seed-upgrade-slurp-rocky9 - kayobe-seed-vm-rocky9 - kayobe-seed-vm-ubuntu-noble - kayobe-infra-vm-rocky9 From 2f6aee4e8785be58cc6dd68e7b27e997af91361f Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Tue, 27 May 2025 09:11:43 +0200 Subject: [PATCH 014/187] CI: Set previous_release for 2025.2 Flamingo We also need to remove the RabbitMQ queue migration from the upgrade jobs. The queues are already in the correct state when deployed on 2025.1 Epoxy and the migration script is absent from this release. Change-Id: I79cb938017721588012d820b86740b7219be5cab --- playbooks/kayobe-overcloud-upgrade-base/run.yml | 11 ----------- zuul.d/jobs.yaml | 2 +- 2 files changed, 1 insertion(+), 12 deletions(-) diff --git a/playbooks/kayobe-overcloud-upgrade-base/run.yml b/playbooks/kayobe-overcloud-upgrade-base/run.yml index fef50fbd6..820536979 100644 --- a/playbooks/kayobe-overcloud-upgrade-base/run.yml +++ b/playbooks/kayobe-overcloud-upgrade-base/run.yml @@ -83,17 +83,6 @@ chdir: "{{ previous_kayobe_src_dir }}" executable: /bin/bash - # Migrate RabbitMQ queues. - - - name: Ensure RabbitMQ queues are migrated - shell: - cmd: dev/rabbitmq-migrate-queues.sh ironic,keystone,neutron,nova &> {{ logs_dir }}/ansible/rabbitmq-migrate-queues - chdir: "{{ previous_kayobe_src_dir }}" - executable: /bin/bash - environment: - KAYOBE_CONFIG_SOURCE_PATH: "{{ previous_kayobe_config_src_dir }}" - KAYOBE_SOURCE_PATH: "{{ previous_kayobe_src_dir }}" - # Upgrade Kayobe, and use it to perform an upgrade of the control plane. - name: Ensure overcloud is upgraded diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index 622518e04..530545b39 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -105,7 +105,7 @@ tenks_src_dir: "{{ ansible_env.PWD ~ '/' ~ zuul.projects['opendev.org/openstack/tenks'].src_dir }}" is_upgrade: "{{ 'upgrade' in zuul.job }}" is_slurp: "{{ 'slurp' in zuul.job }}" - previous_release: "{{ '2024.1' if is_slurp else '2024.2' }}" + previous_release: "{{ '2025.1' if is_slurp else '2025.1' }}" tls_enabled: false container_engine: 'docker' ironic_boot_mode: "bios" From 9b805ad1902ad9c805d210cca0dde8a5481389c5 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Tue, 27 May 2025 15:57:18 +0200 Subject: [PATCH 015/187] Fix syntax error in drac-pxe role Probably the result of a copy-paste from an earlier line in the file. Change-Id: I852e945ae2e6261f8b9a549fbba75adc450459c6 --- ansible/roles/drac-pxe/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/drac-pxe/tasks/main.yml b/ansible/roles/drac-pxe/tasks/main.yml index cf8d51382..aa97364ad 100644 --- a/ansible/roles/drac-pxe/tasks/main.yml +++ b/ansible/roles/drac-pxe/tasks/main.yml @@ -114,7 +114,7 @@ - name: Set a fact containing the UEFI PXE interface set_fact: - current_pxe_interface: "{{ result.stdout_lines[-1].partition('=')[2]}] }}" + current_pxe_interface: "{{ result.stdout_lines[-1].partition('=')[2] }}" required_pxe_interface: "{{ 'NIC.Integrated.1-' ~ drac_pxe_interface ~ '-1' }}" - name: Fail if there are pending UEFI PXE interface changes From 816d6ffde288d98bbc219c492eb47fa5275805d3 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Tue, 27 May 2025 22:08:39 +0200 Subject: [PATCH 016/187] Configure ansible-lint and fix issues found Copy ansible-lint configuration from kolla-ansible as a starting point. Also replace alint tox job by ansible-lint. Fix various issues found by ansible-lint to make it pass with the current set of rules. Change-Id: I1d6173caadbcf249330512e170af8095464f1237 --- .ansible-lint | 44 +++++++ .gitignore | 1 + ansible/apt.yml | 2 +- ansible/baremetal-compute-register.yml | 68 +++++------ ansible/baremetal-compute-serial-console.yml | 110 +++++++++--------- ansible/kayobe-target-venv.yml | 24 ++-- ansible/kolla-target-venv.yml | 4 +- ansible/mdadm.yml | 2 +- ansible/proxy.yml | 1 + .../disable-cloud-init/handlers/main.yml | 2 +- .../roles/disable-cloud-init/tasks/main.yml | 2 +- ansible/roles/dnf/tasks/main.yml | 2 +- .../roles/docker-registry/tasks/destroy.yml | 2 +- ansible/roles/infra-vms/tasks/main.yml | 2 +- ansible/roles/kolla-ansible/tasks/install.yml | 2 +- .../kolla-ansible/templates/kolla/globals.yml | 1 - .../kolla-ansible/tests/test-defaults.yml | 2 +- .../roles/kolla-openstack/defaults/main.yml | 2 +- .../roles/manage-containers/tasks/deploy.yml | 2 +- .../roles/manage-containers/tasks/destroy.yml | 3 +- .../tests/test-bootstrapped.yml | 2 +- .../tests/test-invalid-format.yml | 2 +- .../swift-block-devices/tests/test-mount.yml | 2 +- ansible/ssh-known-host.yml | 1 - ansible/tuned.yml | 2 +- dev/dev-vagrant-network-allocation.yml | 1 + doc/source/contributor/testing.rst | 4 +- tox.ini | 24 +++- 28 files changed, 191 insertions(+), 125 deletions(-) create mode 100644 .ansible-lint diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 000000000..1392b7a1c --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,44 @@ +--- +# NOTE(priteau): Rule file imported from kolla-ansible +strict: true +use_default_rules: true +skip_list: + # [E301] Commands should not change things if nothing needs doing + # TODO(mnasiadka): Fix tasks that fail this check in a later iteration + - no-changed-when + # [E503] Tasks that run when changed should likely be handlers + - no-handler + # [unnamed-task] All tasks should be named + # FIXME(mgoddard): Add names to all tasks + - unnamed-task + # disable experimental rules + - experimental + # Package installs should not use latest + - package-latest + # Most files should not contain tabs + - no-tabs + # NOTE(frickler): Agreed at Zed PTG not to use FQCN for builtin actions for now, due to + # conflicts with open patches and backports. + - fqcn-builtins + # Allow Jinja templating inside task and play names + - name[template] + # FQCNs again, now for module actions + - fqcn[action] + # role name check matching ^*$ + - role-name + # Allow long lines + - yaml[line-length] + # TODO(frickler): Discuss these in detail, skipping for now to unblock things + - command-instead-of-module + - command-instead-of-shell + - deprecated-local-action + - ignore-errors + - jinja[spacing] + - key-order[task] + - name[play] + - no-free-form + - risky-file-permissions + - risky-shell-pipe + - run-once[task] + - var-naming[no-reserved] + - var-naming[no-role-prefix] diff --git a/.gitignore b/.gitignore index f8b8b4942..edc6eab5a 100644 --- a/.gitignore +++ b/.gitignore @@ -58,6 +58,7 @@ ansible/*.retry ansible/roles/*/tests/*.retry # Ansible Galaxy roles & collections +.ansible ansible/roles/*\.*/ ansible/collections/ diff --git a/ansible/apt.yml b/ansible/apt.yml index 0172249e0..633454563 100644 --- a/ansible/apt.yml +++ b/ansible/apt.yml @@ -11,7 +11,7 @@ tags: - apt tasks: - - name: include apt role + - name: Include apt role include_role: name: apt when: ansible_facts.os_family == 'Debian' diff --git a/ansible/baremetal-compute-register.yml b/ansible/baremetal-compute-register.yml index 0dedfe527..95b18f97e 100644 --- a/ansible/baremetal-compute-register.yml +++ b/ansible/baremetal-compute-register.yml @@ -39,42 +39,42 @@ fail_msg: One or more Ironic variables are undefined. - block: - - name: Show baremetal node - ansible.builtin.command: - cmd: "{{ venv }}/bin/openstack baremetal node show {{ inventory_hostname }}" - register: node_show - failed_when: - - '"HTTP 404" not in node_show.stderr' - - node_show.rc != 0 - changed_when: false + - name: Show baremetal node + ansible.builtin.command: + cmd: "{{ venv }}/bin/openstack baremetal node show {{ inventory_hostname }}" + register: node_show + failed_when: + - '"HTTP 404" not in node_show.stderr' + - node_show.rc != 0 + changed_when: false - # NOTE: The openstack.cloud.baremetal_node module cannot be used in this - # script due to requiring a MAC address pre-defined, instead, this should - # be discovered by inpsection following this script. - # - # NOTE: IPMI address must be passed with Redfish address to ensure existing - # Ironic nodes match with new nodes during inspection. - - name: Create baremetal nodes - ansible.builtin.shell: - cmd: | - {{ venv }}/bin/openstack baremetal node create \ - --name {{ inventory_hostname }} \ - --driver {{ ironic_driver }} \ - {% for key, value in ironic_driver_info.items() %} - --driver-info {{ key }}={{ value }} \ - {% endfor %} - {% for key, value in ironic_properties.items() %} - --property {{ key }}={{ value }} \ - {% endfor %} - --resource-class {{ ironic_resource_class }} - when: - - node_show.rc != 0 + # NOTE: The openstack.cloud.baremetal_node module cannot be used in this + # script due to requiring a MAC address pre-defined, instead, this should + # be discovered by inpsection following this script. + # + # NOTE: IPMI address must be passed with Redfish address to ensure existing + # Ironic nodes match with new nodes during inspection. + - name: Create baremetal nodes + ansible.builtin.shell: + cmd: | + {{ venv }}/bin/openstack baremetal node create \ + --name {{ inventory_hostname }} \ + --driver {{ ironic_driver }} \ + {% for key, value in ironic_driver_info.items() %} + --driver-info {{ key }}={{ value }} \ + {% endfor %} + {% for key, value in ironic_properties.items() %} + --property {{ key }}={{ value }} \ + {% endfor %} + --resource-class {{ ironic_resource_class }} + when: + - node_show.rc != 0 - - name: Manage baremetal nodes - ansible.builtin.command: - cmd: "{{ venv }}/bin/openstack baremetal node manage {{ inventory_hostname }} --wait" - when: - - node_show.rc != 0 + - name: Manage baremetal nodes + ansible.builtin.command: + cmd: "{{ venv }}/bin/openstack baremetal node manage {{ inventory_hostname }} --wait" + when: + - node_show.rc != 0 delegate_to: "{{ controller_host }}" vars: # NOTE: Without this, the controller's ansible_host variable will not diff --git a/ansible/baremetal-compute-serial-console.yml b/ansible/baremetal-compute-serial-console.yml index d6fedccb0..39acc3bd1 100644 --- a/ansible/baremetal-compute-serial-console.yml +++ b/ansible/baremetal-compute-serial-console.yml @@ -19,35 +19,35 @@ extra_args: "{% if pip_upper_constraints_file %}-c {{ pip_upper_constraints_file }}{% endif %}" - block: - - name: Fail if allocation pool start not defined - fail: - msg: > - The variable, ironic_serial_console_tcp_pool_start is not defined. - This variable is required to run this playbook. - when: not ironic_serial_console_tcp_pool_start + - name: Fail if allocation pool start not defined + fail: + msg: > + The variable, ironic_serial_console_tcp_pool_start is not defined. + This variable is required to run this playbook. + when: not ironic_serial_console_tcp_pool_start - - name: Fail if allocation pool end not defined - fail: - msg: > - The variable, ironic_serial_console_tcp_pool_end is not defined. - This variable is required to run this playbook. - when: - - not ironic_serial_console_tcp_pool_end + - name: Fail if allocation pool end not defined + fail: + msg: > + The variable, ironic_serial_console_tcp_pool_end is not defined. + This variable is required to run this playbook. + when: + - not ironic_serial_console_tcp_pool_end - - name: Get list of nodes that we should configure serial consoles on - set_fact: - baremetal_nodes: >- - {{ query('inventory_hostnames', console_compute_node_limit | - default('baremetal-compute') ) | unique }} + - name: Get list of nodes that we should configure serial consoles on + set_fact: + baremetal_nodes: >- + {{ query('inventory_hostnames', console_compute_node_limit | + default('baremetal-compute') ) | unique }} - - name: Reserve TCP ports for ironic serial consoles - include_role: - name: console-allocation - vars: - console_allocation_pool_start: "{{ ironic_serial_console_tcp_pool_start }}" - console_allocation_pool_end: "{{ ironic_serial_console_tcp_pool_end }}" - console_allocation_ironic_nodes: "{{ baremetal_nodes }}" - console_allocation_filename: "{{ kayobe_env_config_path }}/console-allocation.yml" + - name: Reserve TCP ports for ironic serial consoles + include_role: + name: console-allocation + vars: + console_allocation_pool_start: "{{ ironic_serial_console_tcp_pool_start }}" + console_allocation_pool_end: "{{ ironic_serial_console_tcp_pool_end }}" + console_allocation_ironic_nodes: "{{ baremetal_nodes }}" + console_allocation_filename: "{{ kayobe_env_config_path }}/console-allocation.yml" when: cmd == "enable" - name: Enable serial console @@ -76,37 +76,37 @@ ansible_host: "{{ hostvars[controller_host].ansible_host | default(controller_host) }}" - block: - - name: Fail if console interface is not ipmitool-socat - fail: - msg: >- - In order to use the serial console you must set the console_interface to ipmitool-socat. - when: node["Console Interface"] != "ipmitool-socat" + - name: Fail if console interface is not ipmitool-socat + fail: + msg: >- + In order to use the serial console you must set the console_interface to ipmitool-socat. + when: node["Console Interface"] != "ipmitool-socat" - - name: Set IPMI serial console terminal port - vars: - name: "{{ node['Name'] }}" - port: "{{ hostvars[controller_host].console_allocation_result.ports[name] }}" - # NOTE: Without this, the controller's ansible_host variable will not - # be respected when using delegate_to. - ansible_host: "{{ hostvars[controller_host].ansible_host | default(controller_host) }}" - command: > - {{ venv }}/bin/openstack baremetal node set {{ name }} --driver-info ipmi_terminal_port={{ port }} - delegate_to: "{{ controller_host }}" - environment: "{{ openstack_auth_env }}" - when: >- - node['Driver Info'].ipmi_terminal_port is not defined or - node['Driver Info'].ipmi_terminal_port | int != port | int + - name: Set IPMI serial console terminal port + vars: + name: "{{ node['Name'] }}" + port: "{{ hostvars[controller_host].console_allocation_result.ports[name] }}" + # NOTE: Without this, the controller's ansible_host variable will not + # be respected when using delegate_to. + ansible_host: "{{ hostvars[controller_host].ansible_host | default(controller_host) }}" + command: > + {{ venv }}/bin/openstack baremetal node set {{ name }} --driver-info ipmi_terminal_port={{ port }} + delegate_to: "{{ controller_host }}" + environment: "{{ openstack_auth_env }}" + when: >- + node['Driver Info'].ipmi_terminal_port is not defined or + node['Driver Info'].ipmi_terminal_port | int != port | int - - name: Enable the IPMI socat serial console - vars: - # NOTE: Without this, the controller's ansible_host variable will not - # be respected when using delegate_to. - ansible_host: "{{ hostvars[controller_host].ansible_host | default(controller_host) }}" - command: > - {{ venv }}/bin/openstack baremetal node console enable {{ node['Name'] }} - delegate_to: "{{ controller_host }}" - environment: "{{ openstack_auth_env }}" - when: not node['Console Enabled'] + - name: Enable the IPMI socat serial console + vars: + # NOTE: Without this, the controller's ansible_host variable will not + # be respected when using delegate_to. + ansible_host: "{{ hostvars[controller_host].ansible_host | default(controller_host) }}" + command: > + {{ venv }}/bin/openstack baremetal node console enable {{ node['Name'] }} + delegate_to: "{{ controller_host }}" + environment: "{{ openstack_auth_env }}" + when: not node['Console Enabled'] vars: matching_nodes: >- {{ (nodes.stdout | from_json) | selectattr('Name', 'defined') | diff --git a/ansible/kayobe-target-venv.yml b/ansible/kayobe-target-venv.yml index 1ca845c0e..99d22f586 100644 --- a/ansible/kayobe-target-venv.yml +++ b/ansible/kayobe-target-venv.yml @@ -15,7 +15,7 @@ tasks: - name: Set a fact about the kayobe target virtualenv set_fact: - virtualenv: "{{ ansible_python_interpreter | dirname | dirname }}" + kayobe_virtualenv: "{{ ansible_python_interpreter | dirname | dirname }}" when: - ansible_python_interpreter is defined - not ansible_python_interpreter.startswith('/bin') @@ -47,12 +47,12 @@ mode: 0755 # Check whether the virtualenv directory is a subdirectory of the # global virtualenv directory. - when: virtualenv.startswith(virtualenv_path) + when: kayobe_virtualenv.startswith(virtualenv_path) become: True - name: Ensure kayobe virtualenv directory exists file: - path: "{{ virtualenv }}" + path: "{{ kayobe_virtualenv }}" state: directory owner: "{{ ansible_facts.user_uid }}" group: "{{ ansible_facts.user_gid }}" @@ -69,7 +69,7 @@ pip: name: pip state: latest - virtualenv: "{{ virtualenv }}" + virtualenv: "{{ kayobe_virtualenv }}" # Site packages are required for using the dnf module, which is not # available via PyPI. virtualenv_site_packages: True @@ -79,14 +79,14 @@ pip: name: selinux state: latest - virtualenv: "{{ virtualenv }}" + virtualenv: "{{ kayobe_virtualenv }}" when: - ansible_facts.os_family == 'RedHat' vars: # Use the system python interpreter since the virtualenv might not # exist. ansible_python_interpreter: "{{ ansible_facts.python.executable }}" - when: virtualenv is defined + when: kayobe_virtualenv is defined # If we gathered facts earlier it would have been with a different Python # interpreter. For gathering modes that may use a fact cache, gather facts @@ -96,7 +96,7 @@ filter: "{{ kayobe_ansible_setup_filter }}" gather_subset: "{{ kayobe_ansible_setup_gather_subset }}" when: - - virtualenv is defined + - kayobe_virtualenv is defined - gather_facts is not skipped - lookup('config', 'DEFAULT_GATHERING') != 'implicit' @@ -110,15 +110,15 @@ name: "{{ packages | select | list }}" state: present become: True - when: virtualenv is not defined + when: kayobe_virtualenv is not defined - name: Ensure kolla-ansible virtualenv has docker SDK for python installed pip: name: docker state: latest - virtualenv: "{{ virtualenv | default(omit) }}" + virtualenv: "{{ kayobe_virtualenv | default(omit) }}" extra_args: "{% if docker_upper_constraints_file %}-c {{ docker_upper_constraints_file }}{% endif %}" - become: "{{ virtualenv is not defined }}" + become: "{{ kayobe_virtualenv is not defined }}" vars: docker_upper_constraints_file: "{{ pip_upper_constraints_file }}" when: @@ -127,9 +127,9 @@ - name: Ensure kayobe virtualenv has podman SDK installed import_role: - name: openstack.kolla.podman_sdk + name: openstack.kolla.podman_sdk vars: - virtualenv: "{{ virtualenv }}" + virtualenv: "{{ kayobe_virtualenv }}" podman_sdk_upper_constraints_file: "{{ pip_upper_constraints_file }}" when: - "'container-engine' in group_names" diff --git a/ansible/kolla-target-venv.yml b/ansible/kolla-target-venv.yml index 698623996..8e3b2e9c1 100644 --- a/ansible/kolla-target-venv.yml +++ b/ansible/kolla-target-venv.yml @@ -57,7 +57,7 @@ virtualenv: "{{ kolla_ansible_target_venv }}" extra_args: "{% if kolla_upper_constraints_file %}-c {{ kolla_upper_constraints_file }}{% endif %}" become: True - when: "{{ container_engine == 'docker' }}" + when: container_engine == 'docker' - name: Ensure kolla-ansible virtualenv has podman SDK installed pip: @@ -66,7 +66,7 @@ virtualenv: "{{ kolla_ansible_target_venv }}" extra_args: "{% if kolla_upper_constraints_file %}-c {{ kolla_upper_constraints_file }}{% endif %}" become: True - when: "{{ container_engine == 'podman' }}" + when: container_engine == 'podman' - name: Ensure kolla-ansible virtualenv has SELinux bindings installed pip: diff --git a/ansible/mdadm.yml b/ansible/mdadm.yml index 14338dd0a..4d69b92ef 100644 --- a/ansible/mdadm.yml +++ b/ansible/mdadm.yml @@ -9,7 +9,7 @@ tags: - mdadm roles: - - name: mrlesmithjr.mdadm + - role: mrlesmithjr.mdadm become: True when: - mdadm_arrays is defined diff --git a/ansible/proxy.yml b/ansible/proxy.yml index 1f39eb6d1..e96e5674b 100644 --- a/ansible/proxy.yml +++ b/ansible/proxy.yml @@ -1,3 +1,4 @@ +--- - name: Configure HTTP(S) proxy settings hosts: seed-hypervisor:seed:overcloud:infra-vms max_fail_percentage: >- diff --git a/ansible/roles/disable-cloud-init/handlers/main.yml b/ansible/roles/disable-cloud-init/handlers/main.yml index b30534747..8b7dc20ca 100644 --- a/ansible/roles/disable-cloud-init/handlers/main.yml +++ b/ansible/roles/disable-cloud-init/handlers/main.yml @@ -1,5 +1,5 @@ --- -- name: reload systemd daemon +- name: Reload systemd daemon systemd: name: cloud-init daemon_reload: yes diff --git a/ansible/roles/disable-cloud-init/tasks/main.yml b/ansible/roles/disable-cloud-init/tasks/main.yml index b17d59bb0..bc591a557 100644 --- a/ansible/roles/disable-cloud-init/tasks/main.yml +++ b/ansible/roles/disable-cloud-init/tasks/main.yml @@ -5,5 +5,5 @@ state: touch mode: "u=rw,g=r,o=r" notify: - - reload systemd daemon + - Reload systemd daemon become: True diff --git a/ansible/roles/dnf/tasks/main.yml b/ansible/roles/dnf/tasks/main.yml index 41feff3ff..d39b8a145 100644 --- a/ansible/roles/dnf/tasks/main.yml +++ b/ansible/roles/dnf/tasks/main.yml @@ -4,7 +4,7 @@ path: /etc/dnf/dnf.conf section: "main" option: "{{ item.key }}" - value: "{{ item.value }}" + value: "{{ item.value }}" loop: "{{ query('dict', dnf_config) }}" become: true diff --git a/ansible/roles/docker-registry/tasks/destroy.yml b/ansible/roles/docker-registry/tasks/destroy.yml index bead5b9a6..527118151 100644 --- a/ansible/roles/docker-registry/tasks/destroy.yml +++ b/ansible/roles/docker-registry/tasks/destroy.yml @@ -14,4 +14,4 @@ - volumes when: "'/' not in volume" vars: - volume: "{{ item.1.split(':')[0] }}" \ No newline at end of file + volume: "{{ item.1.split(':')[0] }}" diff --git a/ansible/roles/infra-vms/tasks/main.yml b/ansible/roles/infra-vms/tasks/main.yml index a7306935e..fc367ccd4 100644 --- a/ansible/roles/infra-vms/tasks/main.yml +++ b/ansible/roles/infra-vms/tasks/main.yml @@ -1,7 +1,7 @@ --- - import_tasks: prerequisites.yml -- name: list all VMs on hypervisor +- name: List all VMs on hypervisor virt: command: list_vms register: all_vms diff --git a/ansible/roles/kolla-ansible/tasks/install.yml b/ansible/roles/kolla-ansible/tasks/install.yml index 2e0d4c8c4..5a643b179 100644 --- a/ansible/roles/kolla-ansible/tasks/install.yml +++ b/ansible/roles/kolla-ansible/tasks/install.yml @@ -159,4 +159,4 @@ # newer versions. ANSIBLE_COLLECTIONS_SCAN_SYS_PATH: "False" # NOTE(wszumski): Don't use path configured for kayobe - ANSIBLE_COLLECTIONS_PATH: + ANSIBLE_COLLECTIONS_PATH: '' diff --git a/ansible/roles/kolla-ansible/templates/kolla/globals.yml b/ansible/roles/kolla-ansible/templates/kolla/globals.yml index 31215b3c2..f8a93be65 100644 --- a/ansible/roles/kolla-ansible/templates/kolla/globals.yml +++ b/ansible/roles/kolla-ansible/templates/kolla/globals.yml @@ -176,7 +176,6 @@ neutron_tenant_network_types: {{ kolla_neutron_ml2_tenant_network_types | join(' # ulimits: - ############# # TLS options ############# diff --git a/ansible/roles/kolla-ansible/tests/test-defaults.yml b/ansible/roles/kolla-ansible/tests/test-defaults.yml index f42353a3a..5f16456f7 100644 --- a/ansible/roles/kolla-ansible/tests/test-defaults.yml +++ b/ansible/roles/kolla-ansible/tests/test-defaults.yml @@ -137,7 +137,7 @@ - name: Check that no inventory overrides are configured assert: that: - - kolla_ansible_overcloud_inventory_overrides.matched == 0 + - kolla_ansible_overcloud_inventory_overrides.matched == 0 msg: > Overcloud group vars were found when they should not be set. diff --git a/ansible/roles/kolla-openstack/defaults/main.yml b/ansible/roles/kolla-openstack/defaults/main.yml index 63b7856c1..f74c995cd 100644 --- a/ansible/roles/kolla-openstack/defaults/main.yml +++ b/ansible/roles/kolla-openstack/defaults/main.yml @@ -138,7 +138,7 @@ kolla_openstack_custom_config_include_globs_default: glob: nova/** - enabled: '{{ kolla_enable_nova | bool }}' glob: nova_compute/** - - enabled: '{{ kolla_enable_octavia | bool }}' + - enabled: '{{ kolla_enable_octavia | bool }}' glob: octavia.conf - enabled: '{{ kolla_enable_octavia | bool }}' glob: octavia/** diff --git a/ansible/roles/manage-containers/tasks/deploy.yml b/ansible/roles/manage-containers/tasks/deploy.yml index d450ddd37..c51be7cac 100644 --- a/ansible/roles/manage-containers/tasks/deploy.yml +++ b/ansible/roles/manage-containers/tasks/deploy.yml @@ -14,4 +14,4 @@ vars: container_name: "{{ item.key }}" container_config: "{{ item.value }}" - with_dict: "{{ seed_containers }}" \ No newline at end of file + with_dict: "{{ seed_containers }}" diff --git a/ansible/roles/manage-containers/tasks/destroy.yml b/ansible/roles/manage-containers/tasks/destroy.yml index acf0d25bd..5059832fa 100644 --- a/ansible/roles/manage-containers/tasks/destroy.yml +++ b/ansible/roles/manage-containers/tasks/destroy.yml @@ -1,6 +1,7 @@ +--- - name: Destroy containers (loop) include_tasks: destroy-container.yml vars: container_name: "{{ item.key }}" container_config: "{{ item.value }}" - with_dict: "{{ seed_containers }}" \ No newline at end of file + with_dict: "{{ seed_containers }}" diff --git a/ansible/roles/swift-block-devices/tests/test-bootstrapped.yml b/ansible/roles/swift-block-devices/tests/test-bootstrapped.yml index 6917ca03f..577b19ab7 100644 --- a/ansible/roles/swift-block-devices/tests/test-bootstrapped.yml +++ b/ansible/roles/swift-block-devices/tests/test-bootstrapped.yml @@ -32,7 +32,7 @@ - block: - name: Test the swift-block-devices role include_role: - name: ../../swift-block-devices + name: ../../swift-block-devices vars: swift_block_devices: - device: "{{ loopback.stdout }}" diff --git a/ansible/roles/swift-block-devices/tests/test-invalid-format.yml b/ansible/roles/swift-block-devices/tests/test-invalid-format.yml index 66eea7521..22df7be5e 100644 --- a/ansible/roles/swift-block-devices/tests/test-invalid-format.yml +++ b/ansible/roles/swift-block-devices/tests/test-invalid-format.yml @@ -7,7 +7,7 @@ - block: - name: Test the swift-block-devices role include_role: - name: ../../swift-block-devices + name: ../../swift-block-devices vars: swift_block_devices: - /dev/fake diff --git a/ansible/roles/swift-block-devices/tests/test-mount.yml b/ansible/roles/swift-block-devices/tests/test-mount.yml index 88bdb8ef9..5489160d9 100644 --- a/ansible/roles/swift-block-devices/tests/test-mount.yml +++ b/ansible/roles/swift-block-devices/tests/test-mount.yml @@ -24,7 +24,7 @@ - block: - name: Test the swift-block-devices role include_role: - name: ../../swift-block-devices + name: ../../swift-block-devices vars: swift_block_devices: - device: "{{ loopback.stdout }}" diff --git a/ansible/ssh-known-host.yml b/ansible/ssh-known-host.yml index a13ffba3a..58d68bd8a 100644 --- a/ansible/ssh-known-host.yml +++ b/ansible/ssh-known-host.yml @@ -11,4 +11,3 @@ - ssh-known-host roles: - role: ssh-known-host - diff --git a/ansible/tuned.yml b/ansible/tuned.yml index 69c5ba8d6..b538b2553 100644 --- a/ansible/tuned.yml +++ b/ansible/tuned.yml @@ -9,7 +9,7 @@ tags: - tuned roles: - - name: giovtorres.tuned + - role: giovtorres.tuned become: true when: - tuned_active_builtin_profile != "" diff --git a/dev/dev-vagrant-network-allocation.yml b/dev/dev-vagrant-network-allocation.yml index 66bff42df..39e3fcf38 100644 --- a/dev/dev-vagrant-network-allocation.yml +++ b/dev/dev-vagrant-network-allocation.yml @@ -1,2 +1,3 @@ +--- aio_ips: controller1: 192.168.33.3 diff --git a/doc/source/contributor/testing.rst b/doc/source/contributor/testing.rst index adb7a64fa..b11cd4e48 100644 --- a/doc/source/contributor/testing.rst +++ b/doc/source/contributor/testing.rst @@ -75,10 +75,10 @@ Environments The following tox environments are provided: -alint - Run Ansible linter. ansible Run Ansible tests for some ansible roles using Ansible playbooks. +ansible-lint + Run Ansible linter. ansible-syntax Run a syntax check for all Ansible files. docs diff --git a/tox.ini b/tox.ini index 4acf49860..5801e7136 100644 --- a/tox.ini +++ b/tox.ini @@ -69,8 +69,28 @@ commands = -p {toxinidir}/ansible/roles bash -c "source {envdir}/bin/activate && {toxinidir}/tools/test-molecule.sh {posargs}" -[testenv:alint] -commands = bash -c "ansible-lint {toxinidir}/ansible/*.yml" +[testenv:linters] +# Env vars and deps need to be defined in top level tox env +setenv = + ANSIBLE_ACTION_PLUGINS = {toxinidir}/ansible/action_plugins + ANSIBLE_FILTER_PLUGINS = {toxinidir}/ansible/filter_plugins + ANSIBLE_ROLES_PATH = {toxinidir}/ansible/roles + +deps = + -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} + -r{toxinidir}/requirements.txt + -r{toxinidir}/test-requirements.txt +commands = + {[testenv:ansible-lint]commands} + +[testenv:ansible-lint] +# Lint only code in ansible/* - ignore various folders used by CI +# TODO(priteau): Ignore YAML linting issues in plugins and figure out why +# idrac-bootstrap.yml fails. +setenv = {[testenv:linters]setenv} +deps = {[testenv:linters]deps} +commands = + ansible-lint -p --exclude etc --exclude kayobe/plugins --exclude playbooks --exclude releasenotes --exclude roles --exclude zuul.d --exclude ansible/idrac-bootstrap.yml [testenv:ansible-syntax] commands = From 144bf6f7eccf6d859c2493748570a6a20b0002b6 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 28 May 2025 08:01:40 +0200 Subject: [PATCH 017/187] CI: Add ansible-role-jobs template This runs the commands defined in the linters tox environment, which currently includes only ansible-lint. Change-Id: I9a52c99f5f6ef09c8005476e2fdde6f36144889d --- zuul.d/project.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 24cb02c73..f76b1fe4b 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -2,6 +2,7 @@ - project: queue: kayobe templates: + - ansible-role-jobs - openstack-cover-jobs - openstack-python3-jobs - publish-openstack-docs-pti From 2305e75c9420b1a78f913a7ed33f25d4cdc636a1 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 28 May 2025 22:55:45 +0200 Subject: [PATCH 018/187] CI: Bump ansible-lint and prune skip list Change-Id: Id056d372f5c8f33ad6f9f33f47896eb784a652ed --- .ansible-lint | 6 ------ test-requirements.txt | 2 +- 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 1392b7a1c..af177246f 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -11,12 +11,8 @@ skip_list: # [unnamed-task] All tasks should be named # FIXME(mgoddard): Add names to all tasks - unnamed-task - # disable experimental rules - - experimental # Package installs should not use latest - package-latest - # Most files should not contain tabs - - no-tabs # NOTE(frickler): Agreed at Zed PTG not to use FQCN for builtin actions for now, due to # conflicts with open patches and backports. - fqcn-builtins @@ -32,11 +28,9 @@ skip_list: - command-instead-of-module - command-instead-of-shell - deprecated-local-action - - ignore-errors - jinja[spacing] - key-order[task] - name[play] - - no-free-form - risky-file-permissions - risky-shell-pipe - run-once[task] diff --git a/test-requirements.txt b/test-requirements.txt index 9caa5ace2..6295d47fd 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -2,7 +2,7 @@ # of appearance. Changing the order has an impact on the overall integration # process, which may cause wedges in the gate later. -ansible-lint>=3.0.0,!=4.3.0 # MIT +ansible-lint>=25.0.0,<26.0.0 # MIT bashate>=0.2 # Apache-2.0 coverage>=4.0 # Apache-2.0 doc8 # Apache-2.0 From 9554ddd2d339e27b68f360425beb11830b370357 Mon Sep 17 00:00:00 2001 From: Seunghun Lee Date: Fri, 30 May 2025 17:03:44 +0100 Subject: [PATCH 019/187] Make custom Gather facts run with default python for kayobe-target-venv Fixes an issue introduced in I7cfb600eec268749ea1315112fe3a9429ab3ab8e. This change make custom 'Gather facts' task for kayobe-target-venv run with ``ansible_python_interpreter = /usr/bin/python3``. This is to ensure custom 'Gather facts' can be run even when there was no ansible facts gathered before. Closes-Bug: #2112201 Change-Id: I2409428e7b929bec32c2b0034e82b4d03b343567 --- ansible/kayobe-target-venv.yml | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/ansible/kayobe-target-venv.yml b/ansible/kayobe-target-venv.yml index 99d22f586..3f82074e6 100644 --- a/ansible/kayobe-target-venv.yml +++ b/ansible/kayobe-target-venv.yml @@ -21,14 +21,21 @@ - not ansible_python_interpreter.startswith('/bin') - not ansible_python_interpreter.startswith('/usr/bin') - - block: - - name: Gather facts - setup: - filter: "{{ kayobe_ansible_setup_filter }}" - gather_subset: "{{ kayobe_ansible_setup_gather_subset }}" - when: not ansible_facts - register: gather_facts + - name: Gather facts + setup: + filter: "{{ kayobe_ansible_setup_filter }}" + gather_subset: "{{ kayobe_ansible_setup_gather_subset }}" + when: + - ansible_facts is undefined or not ansible_facts + - kayobe_virtualenv is defined + register: gather_facts + # Before any facts are gathered, ansible doesn't know about + # python virtualenv. + # Use default python3 to be safe for this task. + vars: + ansible_python_interpreter: /usr/bin/python3 + - block: - name: Ensure the Python venv package is installed on Debian family systems package: name: python3-venv From ced8b575c137dcedda3140fa2dca383a5cf7652c Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 4 Jun 2025 17:36:03 +0100 Subject: [PATCH 020/187] ansible-lint: Fix jinja[spacing] We need to use noqa for gather_facts_delegated_delegate_hosts because of the Python array syntax. Change-Id: Id2f298d22bc0f0031aded62bb1fb69dd08d64245 --- .ansible-lint | 1 - ansible/baremetal-compute-serial-console.yml | 6 +-- ansible/roles/dnf/tasks/custom-repo.yml | 40 +++++++++---------- .../gather-facts-delegated/defaults/main.yml | 3 +- .../ipa-images/tasks/set-driver-info.yml | 6 +-- ansible/roles/ssh-known-host/tasks/main.yml | 2 +- 6 files changed, 28 insertions(+), 30 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index af177246f..03e343dd1 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -28,7 +28,6 @@ skip_list: - command-instead-of-module - command-instead-of-shell - deprecated-local-action - - jinja[spacing] - key-order[task] - name[play] - risky-file-permissions diff --git a/ansible/baremetal-compute-serial-console.yml b/ansible/baremetal-compute-serial-console.yml index 39acc3bd1..f4370f00a 100644 --- a/ansible/baremetal-compute-serial-console.yml +++ b/ansible/baremetal-compute-serial-console.yml @@ -38,7 +38,7 @@ set_fact: baremetal_nodes: >- {{ query('inventory_hostnames', console_compute_node_limit | - default('baremetal-compute') ) | unique }} + default('baremetal-compute')) | unique }} - name: Reserve TCP ports for ironic serial consoles include_role: @@ -110,7 +110,7 @@ vars: matching_nodes: >- {{ (nodes.stdout | from_json) | selectattr('Name', 'defined') | - selectattr('Name', 'equalto', inventory_hostname ) | list }} + selectattr('Name', 'equalto', inventory_hostname) | list }} node: "{{ matching_nodes | first }}" when: - cmd == "enable" @@ -130,7 +130,7 @@ vars: matching_nodes: >- {{ (nodes.stdout | from_json) | selectattr('Name', 'defined') | - selectattr('Name', 'equalto', inventory_hostname ) | list }} + selectattr('Name', 'equalto', inventory_hostname) | list }} node: "{{ matching_nodes | first }}" when: - cmd == "disable" diff --git a/ansible/roles/dnf/tasks/custom-repo.yml b/ansible/roles/dnf/tasks/custom-repo.yml index b7e66de76..6a7e0434e 100644 --- a/ansible/roles/dnf/tasks/custom-repo.yml +++ b/ansible/roles/dnf/tasks/custom-repo.yml @@ -3,28 +3,28 @@ yum_repository: name: "{{ item.key }}" description: "{% if 'description' in item.value %}{{ item.value.description }}{% else %}{{ item.key }} repository{% endif %}" - baseurl: "{{ item.value.baseurl | default(omit)}}" - file: "{{ item.value.file | default(omit)}}" - gpgkey: "{{ item.value.gpgkey | default(omit)}}" - gpgcheck: "{{ item.value.gpgcheck | default(omit)}}" - cost: "{{ item.value.cost | default(omit)}}" - enabled: "{{ item.value.enabled | default(omit)}}" - exclude: "{{ item.value.exclude | default(omit)}}" - gpgcakey: "{{ item.value.gpgcakey | default(omit)}}" - includepkgs: "{{ item.value.includepkgs | default(omit)}}" - metadata_expire: "{{ item.value.metadata_expire | default(omit)}}" - metalink: "{{ item.value.metalink | default(omit)}}" - mirrorlist: "{{ item.value.mirrorlist | default(omit)}}" - mirrorlist_expire: "{{ item.value.mirrorlist_expire | default(omit)}}" + baseurl: "{{ item.value.baseurl | default(omit) }}" + file: "{{ item.value.file | default(omit) }}" + gpgkey: "{{ item.value.gpgkey | default(omit) }}" + gpgcheck: "{{ item.value.gpgcheck | default(omit) }}" + cost: "{{ item.value.cost | default(omit) }}" + enabled: "{{ item.value.enabled | default(omit) }}" + exclude: "{{ item.value.exclude | default(omit) }}" + gpgcakey: "{{ item.value.gpgcakey | default(omit) }}" + includepkgs: "{{ item.value.includepkgs | default(omit) }}" + metadata_expire: "{{ item.value.metadata_expire | default(omit) }}" + metalink: "{{ item.value.metalink | default(omit) }}" + mirrorlist: "{{ item.value.mirrorlist | default(omit) }}" + mirrorlist_expire: "{{ item.value.mirrorlist_expire | default(omit) }}" password: "{{ item.value.password | default(omit) }}" - priority: "{{ item.value.priority | default(omit)}}" - proxy: "{{ item.value.proxy | default(omit)}}" - proxy_password: "{{ item.value.proxy_password | default(omit)}}" - proxy_username: "{{ item.value.proxy_username | default(omit)}}" - repo_gpgcheck: "{{ item.value.repo_gpgcheck | default(omit)}}" - sslverify: "{{ item.value.sslverify | default(omit)}}" + priority: "{{ item.value.priority | default(omit) }}" + proxy: "{{ item.value.proxy | default(omit) }}" + proxy_password: "{{ item.value.proxy_password | default(omit) }}" + proxy_username: "{{ item.value.proxy_username | default(omit) }}" + repo_gpgcheck: "{{ item.value.repo_gpgcheck | default(omit) }}" + sslverify: "{{ item.value.sslverify | default(omit) }}" username: "{{ item.value.username | default(omit) }}" - state: "{{ item.value.state | default(omit)}}" + state: "{{ item.value.state | default(omit) }}" with_dict: "{{ dnf_custom_repos }}" loop_control: label: "{{ item.key }}" diff --git a/ansible/roles/gather-facts-delegated/defaults/main.yml b/ansible/roles/gather-facts-delegated/defaults/main.yml index ad6fe6444..2bba8cfc4 100644 --- a/ansible/roles/gather-facts-delegated/defaults/main.yml +++ b/ansible/roles/gather-facts-delegated/defaults/main.yml @@ -4,5 +4,4 @@ gather_facts_delegated_batch_index: "{{ ansible_play_batch.index(inventory_hostn gather_facts_delegated_batch_count: "{{ ansible_play_batch | length }}" # Use a python list slice to divide the group up. # Syntax: [::] -gather_facts_delegated_delegate_hosts: >- - {{ gather_facts_delegated_limit_hosts[gather_facts_delegated_batch_index | int::gather_facts_delegated_batch_count | int] }} +gather_facts_delegated_delegate_hosts: "{{ gather_facts_delegated_limit_hosts[gather_facts_delegated_batch_index | int::gather_facts_delegated_batch_count | int] }}" # noqa jinja[spacing] diff --git a/ansible/roles/ipa-images/tasks/set-driver-info.yml b/ansible/roles/ipa-images/tasks/set-driver-info.yml index 4592da109..c2c11fcc9 100644 --- a/ansible/roles/ipa-images/tasks/set-driver-info.yml +++ b/ansible/roles/ipa-images/tasks/set-driver-info.yml @@ -23,9 +23,9 @@ - name: Change system scope to all for Ironic operations set_fact: ipa_images_ironic_openstack_auth_env: "{{ ipa_images_openstack_auth_env | - combine ({ 'OS_PROJECT_NAME': omit }) | - combine ({ 'OS_PROJECT_DOMAIN_NAME': omit }) | - combine ({ 'OS_SYSTEM_SCOPE': 'all' }) }}" + combine({'OS_PROJECT_NAME': omit}) | + combine({'OS_PROJECT_DOMAIN_NAME': omit}) | + combine({'OS_SYSTEM_SCOPE': 'all'}) }}" - name: Get a list of ironic nodes command: | diff --git a/ansible/roles/ssh-known-host/tasks/main.yml b/ansible/roles/ssh-known-host/tasks/main.yml index 2cb8cc49e..2f850a089 100644 --- a/ansible/roles/ssh-known-host/tasks/main.yml +++ b/ansible/roles/ssh-known-host/tasks/main.yml @@ -17,7 +17,7 @@ local_action: module: command ssh-keyscan {{ item }} with_items: - - "{{ ansible_host|default(inventory_hostname) }}" + - "{{ ansible_host | default(inventory_hostname) }}" register: keyscan_result changed_when: False From 5ee032549887ef763d75ce9615ab3ce82443cc24 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 6 Jun 2025 07:33:25 +0100 Subject: [PATCH 021/187] CI: Move failing rocky9 jobs to experimental queue Change-Id: If859d1437c1479b8d3334b8f0b70a2e9dbb221d8 --- zuul.d/project.yaml | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index f76b1fe4b..41ab5542a 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -12,14 +12,10 @@ - kayobe-tox-ansible-syntax - kayobe-tox-ansible - kayobe-tox-molecule - - kayobe-overcloud-rocky9 - - kayobe-overcloud-rocky9-podman - kayobe-overcloud-ubuntu-noble - kayobe-overcloud-ubuntu-noble-podman - - kayobe-overcloud-tls-rocky9 - kayobe-overcloud-host-configure-rocky9 - kayobe-overcloud-host-configure-ubuntu-noble - - kayobe-overcloud-upgrade-rocky9 - kayobe-overcloud-upgrade-ubuntu-noble - kayobe-seed-rocky9 - kayobe-seed-rocky9-podman @@ -39,14 +35,10 @@ - kayobe-tox-ansible-syntax - kayobe-tox-ansible - kayobe-tox-molecule - - kayobe-overcloud-rocky9 - - kayobe-overcloud-rocky9-podman - kayobe-overcloud-ubuntu-noble - kayobe-overcloud-ubuntu-noble-podman - - kayobe-overcloud-tls-rocky9 - kayobe-overcloud-host-configure-rocky9 - kayobe-overcloud-host-configure-ubuntu-noble - - kayobe-overcloud-upgrade-rocky9 - kayobe-overcloud-upgrade-ubuntu-noble - kayobe-seed-rocky9 - kayobe-seed-rocky9-podman @@ -63,6 +55,10 @@ jobs: - kayobe-overcloud-centos9s - kayobe-overcloud-host-configure-centos9s + - kayobe-overcloud-rocky9 + - kayobe-overcloud-rocky9-podman + - kayobe-overcloud-tls-rocky9 + - kayobe-overcloud-upgrade-rocky9 - kayobe-seed-images-centos9s - kayobe-seed-images-rocky9-podman - kayobe-seed-images-ubuntu-noble From 20195400150ae15b165316e8b0f66254f766ee1d Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 6 Jun 2025 09:50:12 +0100 Subject: [PATCH 022/187] Bump stackhpc.libvirt-vm to v1.16.3 This fixes seed/infra VM provisioning failures with libvirt 10.10.0 (packaged in Rocky Linux 9.6). Closes-Bug: #2112628 Change-Id: Ia3cd43b3cde2474eed7fbd1fcb63ad7405b9e2f6 --- .../bump-stackhpc-libvirt-vm-1.16.3-48680a17eeb5f632.yaml | 5 +++++ requirements.yml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/bump-stackhpc-libvirt-vm-1.16.3-48680a17eeb5f632.yaml diff --git a/releasenotes/notes/bump-stackhpc-libvirt-vm-1.16.3-48680a17eeb5f632.yaml b/releasenotes/notes/bump-stackhpc-libvirt-vm-1.16.3-48680a17eeb5f632.yaml new file mode 100644 index 000000000..fd50372fe --- /dev/null +++ b/releasenotes/notes/bump-stackhpc-libvirt-vm-1.16.3-48680a17eeb5f632.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Bumps the ``stackhpc.libvirt-vm`` role to v1.16.3 to fix seed and infra VM + provisioning failures on Rocky Linux 9.6. diff --git a/requirements.yml b/requirements.yml index 11b2b0025..f0e70d8a7 100644 --- a/requirements.yml +++ b/requirements.yml @@ -43,7 +43,7 @@ roles: - src: stackhpc.libvirt-host version: v1.12.1 - src: stackhpc.libvirt-vm - version: v1.16.2 + version: v1.16.3 - src: stackhpc.luks version: 0.4.2 - src: stackhpc.os-ironic-state From 8f0c9a7ec718cd1cf5a2ffd230e0c99c36822af9 Mon Sep 17 00:00:00 2001 From: Doug Szumski Date: Fri, 6 Jun 2025 14:59:28 +0100 Subject: [PATCH 023/187] Fix image registry conditional `kolla_docker_registry` evaluates to an empty string if neither a docker or podman registry are configured. This leads to broken behaviour if an image build is attempted with a regex specified. Closes-bug: #2112646 Change-Id: I4548410d533731138de02780dc8b2013e71730d0 --- ansible/container-image-build.yml | 2 +- releasenotes/notes/fix-empty-registry-bug.yaml | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/fix-empty-registry-bug.yaml diff --git a/ansible/container-image-build.yml b/ansible/container-image-build.yml index 16e4f8071..026c5cec7 100644 --- a/ansible/container-image-build.yml +++ b/ansible/container-image-build.yml @@ -53,7 +53,7 @@ kolla-build --config-dir {{ kolla_build_config_path }} --engine {{ container_engine }} - {% if kolla_docker_registry is not none %}--registry {{ kolla_docker_registry }}{% endif %} + {% if kolla_docker_registry %}--registry {{ kolla_docker_registry }}{% endif %} {% if push_images | bool %}--push{% endif %} {% if nocache | bool %}--nocache{% endif %} {% if kolla_base_arch != ansible_facts.architecture %}--platform {{ platform }}{% endif %} diff --git a/releasenotes/notes/fix-empty-registry-bug.yaml b/releasenotes/notes/fix-empty-registry-bug.yaml new file mode 100644 index 000000000..8efe04310 --- /dev/null +++ b/releasenotes/notes/fix-empty-registry-bug.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fixes an issue building images with a regex when no image registry is set + `LP#2112646 `__ From 46d28dc7996efafca5be3c9f8280fbd291806f48 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 11 Jun 2025 15:56:24 +0200 Subject: [PATCH 024/187] Use latest CentOS Stream 9 GenericCloud image Change-Id: If07b7b5aeff61c4a1181d4e4a6cc256456125c0a --- ansible/inventory/group_vars/all/infra-vms | 4 ++-- ansible/inventory/group_vars/all/seed-vm | 4 ++-- etc/kayobe/infra-vms.yml | 2 +- etc/kayobe/seed-vm.yml | 2 +- .../use-latest-centos-stream-9-image-d23c5a3f5c3a3914.yaml | 5 +++++ 5 files changed, 11 insertions(+), 6 deletions(-) create mode 100644 releasenotes/notes/use-latest-centos-stream-9-image-d23c5a3f5c3a3914.yaml diff --git a/ansible/inventory/group_vars/all/infra-vms b/ansible/inventory/group_vars/all/infra-vms index 6ae0c1991..f5fe780ba 100644 --- a/ansible/inventory/group_vars/all/infra-vms +++ b/ansible/inventory/group_vars/all/infra-vms @@ -46,7 +46,7 @@ infra_vm_root_format: qcow2 # https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2 # when os_distribution is "rocky", # or -# "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-9-20221206.0.x86_64.qcow2" +# "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-9-latest.x86_64.qcow2" # otherwise. infra_vm_root_image: >- {%- if os_distribution == 'ubuntu' %} @@ -54,7 +54,7 @@ infra_vm_root_image: >- {%- elif os_distribution == 'rocky' %} https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2 {%- else -%} - https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-9-20221206.0.x86_64.qcow2 + https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-9-latest.x86_64.qcow2 {%- endif %} # Capacity of the infra VM data volume. diff --git a/ansible/inventory/group_vars/all/seed-vm b/ansible/inventory/group_vars/all/seed-vm index 9687e6de3..ddc636117 100644 --- a/ansible/inventory/group_vars/all/seed-vm +++ b/ansible/inventory/group_vars/all/seed-vm @@ -46,7 +46,7 @@ seed_vm_root_format: qcow2 # https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2 # when os_distribution is "rocky", # or -# "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-9-20221206.0.x86_64.qcow2" +# "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-9-latest.x86_64.qcow2" # otherwise. seed_vm_root_image: >- {%- if os_distribution == 'ubuntu' %} @@ -54,7 +54,7 @@ seed_vm_root_image: >- {%- elif os_distribution == 'rocky' %} https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2 {%- else -%} - https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-9-20221206.0.x86_64.qcow2 + https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-9-latest.x86_64.qcow2 {%- endif %} # Capacity of the seed VM data volume. diff --git a/etc/kayobe/infra-vms.yml b/etc/kayobe/infra-vms.yml index cbfa34eae..364506595 100644 --- a/etc/kayobe/infra-vms.yml +++ b/etc/kayobe/infra-vms.yml @@ -35,7 +35,7 @@ # https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2 # when os_distribution is "rocky", # or -# "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-9-20221206.0.x86_64.qcow2" +# "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-9-latest.x86_64.qcow2" # otherwise. #infra_vm_root_image: diff --git a/etc/kayobe/seed-vm.yml b/etc/kayobe/seed-vm.yml index aa805d847..3c8352a78 100644 --- a/etc/kayobe/seed-vm.yml +++ b/etc/kayobe/seed-vm.yml @@ -35,7 +35,7 @@ # https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2 # when os_distribution is "rocky", # or -# "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-9-20221206.0.x86_64.qcow2" +# "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-9-latest.x86_64.qcow2" # otherwise. #seed_vm_root_image: diff --git a/releasenotes/notes/use-latest-centos-stream-9-image-d23c5a3f5c3a3914.yaml b/releasenotes/notes/use-latest-centos-stream-9-image-d23c5a3f5c3a3914.yaml new file mode 100644 index 000000000..82e8b0520 --- /dev/null +++ b/releasenotes/notes/use-latest-centos-stream-9-image-d23c5a3f5c3a3914.yaml @@ -0,0 +1,5 @@ +--- +upgrade: + - | + Updates the default cloud image for CentOS Stream 9 deployments to use + ``CentOS-Stream-GenericCloud-9-latest.x86_64.qcow2``. From 5d72f5c7e4b60f4b597ae1db7f0daed3d88a3d8a Mon Sep 17 00:00:00 2001 From: Maksim Malchuk Date: Sat, 14 Jun 2025 21:52:48 +0300 Subject: [PATCH 025/187] Drop some leftovers Follow-up on I7c5ac03b3ceb3f558480044f385636936df90f8f Change-Id: If0771fadb0efd4d48ba5af0e5cab8176dde35193 Signed-off-by: Maksim Malchuk --- ansible/kolla-bifrost.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/ansible/kolla-bifrost.yml b/ansible/kolla-bifrost.yml index ea2029098..87023deb5 100644 --- a/ansible/kolla-bifrost.yml +++ b/ansible/kolla-bifrost.yml @@ -17,5 +17,4 @@ kolla_bifrost_config_paths_static: - "{{ kayobe_config_path }}" kolla_bifrost_config_paths_extra: "{{ kolla_bifrost_config_paths_static + kayobe_env_search_paths }}" - kolla_bifrost_config_files: when: kolla_enable_bifrost | bool From 9e18a6e02a72ed08d9eef85d8b186d8f12cf472c Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 18 Jun 2025 12:30:34 +0200 Subject: [PATCH 026/187] CI: Fix new failures with ansible-lint 25.6.0 Fix name[unique] check which was added in this version. Set noqa for a inventory_hostnames query failing with an exception. Change-Id: Iee5b63bc3f4cdf41239625ecd37301ea0d217a41 --- ansible/baremetal-compute-serial-console.yml | 4 +--- ansible/compute-node-discovery.yml | 2 +- ansible/kayobe-target-venv.yml | 4 ++-- ansible/network-connectivity.yml | 8 ++++---- 4 files changed, 8 insertions(+), 10 deletions(-) diff --git a/ansible/baremetal-compute-serial-console.yml b/ansible/baremetal-compute-serial-console.yml index f4370f00a..f87c6dc8b 100644 --- a/ansible/baremetal-compute-serial-console.yml +++ b/ansible/baremetal-compute-serial-console.yml @@ -36,9 +36,7 @@ - name: Get list of nodes that we should configure serial consoles on set_fact: - baremetal_nodes: >- - {{ query('inventory_hostnames', console_compute_node_limit | - default('baremetal-compute')) | unique }} + baremetal_nodes: "{{ query('inventory_hostnames', console_compute_node_limit | default('baremetal-compute')) | unique }}" # noqa jinja[invalid] - name: Reserve TCP ports for ironic serial consoles include_role: diff --git a/ansible/compute-node-discovery.yml b/ansible/compute-node-discovery.yml index 84f8bca35..60d5674af 100644 --- a/ansible/compute-node-discovery.yml +++ b/ansible/compute-node-discovery.yml @@ -51,7 +51,7 @@ # be respected when using delegate_to. ansible_host: "{{ hostvars[controller_host].ansible_host | default(controller_host) }}" - - name: Pause to prevent overwhelming BMCs + - name: Pause again to prevent overwhelming BMCs pause: seconds: 5 diff --git a/ansible/kayobe-target-venv.yml b/ansible/kayobe-target-venv.yml index 3f82074e6..9e782bdee 100644 --- a/ansible/kayobe-target-venv.yml +++ b/ansible/kayobe-target-venv.yml @@ -21,7 +21,7 @@ - not ansible_python_interpreter.startswith('/bin') - not ansible_python_interpreter.startswith('/usr/bin') - - name: Gather facts + - name: Gather facts with system Python interpreter setup: filter: "{{ kayobe_ansible_setup_filter }}" gather_subset: "{{ kayobe_ansible_setup_gather_subset }}" @@ -98,7 +98,7 @@ # If we gathered facts earlier it would have been with a different Python # interpreter. For gathering modes that may use a fact cache, gather facts # again using the interpreter from the virtual environment. - - name: Gather facts + - name: Gather facts with virtualenv Python interpreter setup: filter: "{{ kayobe_ansible_setup_filter }}" gather_subset: "{{ kayobe_ansible_setup_gather_subset }}" diff --git a/ansible/network-connectivity.yml b/ansible/network-connectivity.yml index 745032aa4..3440ae5d5 100644 --- a/ansible/network-connectivity.yml +++ b/ansible/network-connectivity.yml @@ -14,7 +14,7 @@ # (20 bytes) headers. icmp_overhead_bytes: 28 tasks: - - name: Display next action + - name: "Display next action: external IP address check" debug: msg: > Checking whether hosts have access to an external IP address, @@ -25,7 +25,7 @@ command: ping -c1 {{ nc_external_ip }} changed_when: False - - name: Display next action + - name: "Display next action: external hostname check" debug: msg: > Checking whether hosts have access to an external hostname, @@ -36,7 +36,7 @@ command: ping -c1 {{ nc_external_hostname }} changed_when: False - - name: Display next action + - name: "Display next action: gateway check" debug: msg: > Checking whether hosts have access to any configured gateways. @@ -57,7 +57,7 @@ # network and try to ping it. Set the packet size according to the # network's MTU. - - name: Display next action + - name: "Display next action: host connectivity check" debug: msg: > Checking whether hosts have access to other hosts on the same From 65c129143623995d16ec4701afcc5c23717323b8 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 19 Jun 2025 19:25:47 +0200 Subject: [PATCH 027/187] Fix documentation of seed_containers usage Pulling a specific image version requires using the tag parameter. Include docker.io in container image name for compatibility with Podman. Change-Id: Ic2fef4c6925d2d799f096de6b6fa519d77130c3e --- ansible/inventory/group_vars/all/seed | 3 ++- doc/source/configuration/reference/seed-custom-containers.rst | 3 ++- etc/kayobe/seed.yml | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ansible/inventory/group_vars/all/seed b/ansible/inventory/group_vars/all/seed index eddee7426..f5b1bd38d 100644 --- a/ansible/inventory/group_vars/all/seed +++ b/ansible/inventory/group_vars/all/seed @@ -136,9 +136,10 @@ seed_users: "{{ users_default }}" # Example: # seed_containers: # squid: -# image: "stackhpc/squid:3.5.20-1" +# image: "docker.io/stackhpc/squid" # pre: "{{ kayobe_env_config_path }}/containers/squid/pre.yml" # post: "{{ kayobe_env_config_path }}/containers/squid/post.yml" +# tag: "3.5.20-1" # seed_containers: {} diff --git a/doc/source/configuration/reference/seed-custom-containers.rst b/doc/source/configuration/reference/seed-custom-containers.rst index a6f094c51..70cc748ca 100644 --- a/doc/source/configuration/reference/seed-custom-containers.rst +++ b/doc/source/configuration/reference/seed-custom-containers.rst @@ -17,11 +17,12 @@ For example, to deploy a squid container image: seed_containers: squid: - image: "stackhpc/squid:3.5.20-1" + image: "docker.io/stackhpc/squid" pre: "{{ kayobe_env_config_path }}/containers/squid/pre.yml" post: "{{ kayobe_env_config_path }}/containers/squid/post.yml" pre_destroy: "{{ kayobe_env_config_path }}/containers/squid/pre_destroy.yml" post_destroy: "{{ kayobe_env_config_path }}/containers/squid/post_destroy.yml" + tag: "3.5.20-1" Please notice the *optional* pre, post, pre_destroy, and post_destroy Ansible task files - those need to be created in ``kayobe-config`` path. The table below describes diff --git a/etc/kayobe/seed.yml b/etc/kayobe/seed.yml index 541c07808..48bcfb878 100644 --- a/etc/kayobe/seed.yml +++ b/etc/kayobe/seed.yml @@ -98,9 +98,10 @@ # Example: # seed_containers: # squid: -# image: "stackhpc/squid:3.5.20-1" +# image: "docker.io/stackhpc/squid" # pre: "{{ kayobe_env_config_path }}/containers/squid/pre.yml" # post: "{{ kayobe_env_config_path }}/containers/squid/post.yml" +# tag: "3.5.20-1" # #seed_containers: From 7bd7929ea77f9843717a424d88422837d19d0d4a Mon Sep 17 00:00:00 2001 From: Alex-Welsh Date: Wed, 18 Jun 2025 10:09:56 +0100 Subject: [PATCH 028/187] Fix infinite loop in seed container deployment The deploy.yml playbook previously called deploy-container.yml, but this was changed to call itself when podman support was added [1]. It would then recursively loop until failure. This change reverts that, so deploy-container.yml is called instead. Add a test to seed jobs, to catch any regression in CI. [1] https://review.opendev.org/c/openstack/kayobe/+/909686 Closes-Bug: #2114845 Change-Id: I825ab7331fbe8f28c17b87ff79a436144426a78c --- ansible/roles/manage-containers/tasks/deploy.yml | 2 +- playbooks/kayobe-seed-base/overrides.yml.j2 | 13 +++++++++++++ .../fix-deploy-containers-24da0992b56a10db.yaml | 5 +++++ 3 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/fix-deploy-containers-24da0992b56a10db.yaml diff --git a/ansible/roles/manage-containers/tasks/deploy.yml b/ansible/roles/manage-containers/tasks/deploy.yml index c51be7cac..a735e9b26 100644 --- a/ansible/roles/manage-containers/tasks/deploy.yml +++ b/ansible/roles/manage-containers/tasks/deploy.yml @@ -10,7 +10,7 @@ become: "{{ container_engine == 'podman' }}" - name: Deploy containers (loop) - include_tasks: deploy.yml + include_tasks: deploy-container.yml vars: container_name: "{{ item.key }}" container_config: "{{ item.value }}" diff --git a/playbooks/kayobe-seed-base/overrides.yml.j2 b/playbooks/kayobe-seed-base/overrides.yml.j2 index 889d82489..16374cd19 100644 --- a/playbooks/kayobe-seed-base/overrides.yml.j2 +++ b/playbooks/kayobe-seed-base/overrides.yml.j2 @@ -57,3 +57,16 @@ kolla_base_distro: "{% raw %}{{ 'rocky' if os_distribution == 'centos' else os_d # Support overriding container_engine container_engine: "{{ container_engine }}" + +# Test deployment of custom seed containers +seed_containers: + node_exporter: + image: "quay.io/prometheus/node-exporter" + tag: "latest" + +{% if ansible_os_family == "Debian" %} +# TODO(priteau): Required for running some containers on Ubuntu + Podman. +# Remove once installed by ansible-collection-kolla. +dev_tools_packages_extra: + - "catatonit" +{% endif %} diff --git a/releasenotes/notes/fix-deploy-containers-24da0992b56a10db.yaml b/releasenotes/notes/fix-deploy-containers-24da0992b56a10db.yaml new file mode 100644 index 000000000..1421c2bfc --- /dev/null +++ b/releasenotes/notes/fix-deploy-containers-24da0992b56a10db.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fixes an infinite loop when deploying seed containers. + `LP#2114845 `__ From 17254c42fa0539891fa2718145ef0798484db789 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 20 Jun 2025 15:41:04 +0200 Subject: [PATCH 029/187] Bump stackhpc.linux to 1.3.4 This includes fixes to SR-IOV and VGPU configuration [1]. [1] https://github.com/stackhpc/ansible-collection-linux/compare/v1.3.1...v1.3.4 Change-Id: Ia368ff68f4c3ac69406040be25fa09711e221fa3 --- .../notes/bump-stackhpc-linux-1.3.4-0ae3e0ec9f4c25e2.yaml | 5 +++++ requirements.yml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/bump-stackhpc-linux-1.3.4-0ae3e0ec9f4c25e2.yaml diff --git a/releasenotes/notes/bump-stackhpc-linux-1.3.4-0ae3e0ec9f4c25e2.yaml b/releasenotes/notes/bump-stackhpc-linux-1.3.4-0ae3e0ec9f4c25e2.yaml new file mode 100644 index 000000000..e300e9752 --- /dev/null +++ b/releasenotes/notes/bump-stackhpc-linux-1.3.4-0ae3e0ec9f4c25e2.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fixes failure to activate SR-IOV on GPU devices by bumping the + ``stackhpc.linux`` collection to v1.3.4. diff --git a/requirements.yml b/requirements.yml index f0e70d8a7..4d9250ad0 100644 --- a/requirements.yml +++ b/requirements.yml @@ -12,7 +12,7 @@ collections: - name: openstack.cloud version: '<3' - name: stackhpc.linux - version: 1.3.1 + version: 1.3.4 - name: stackhpc.network version: 1.0.0 - name: stackhpc.openstack From 9a7aaffff723fbae4483f38b55e6ea55d4d908fe Mon Sep 17 00:00:00 2001 From: Alex-Welsh Date: Fri, 20 Jun 2025 09:17:32 +0100 Subject: [PATCH 030/187] Fix deprovisioning multiple overcloud hosts Previously, the user prompt ran on one host, but the assertion ran on all hosts. This meant the check could only pass on one host, all others would fail every time. This change ensures the check and assertion always run once on localhost. Closes-Bug: #2115037 Change-Id: If2a26b42e6fe0152922e10df924c0797259e2e53 --- ansible/overcloud-deprovision.yml | 4 ++++ releasenotes/notes/bug-2115037-f2ed2a4994511832.yaml | 7 +++++++ 2 files changed, 11 insertions(+) create mode 100644 releasenotes/notes/bug-2115037-f2ed2a4994511832.yaml diff --git a/ansible/overcloud-deprovision.yml b/ansible/overcloud-deprovision.yml index e7bf91448..c0d9d1bc5 100644 --- a/ansible/overcloud-deprovision.yml +++ b/ansible/overcloud-deprovision.yml @@ -43,6 +43,8 @@ {{ play_hosts | join(', ') }} If you want to proceed type: yes register: pause_prompt + delegate_to: localhost + run_once: true when: not confirm_deprovision - name: Fail if deprovision is not confirmed @@ -51,6 +53,8 @@ msg: > Deprovision has not been confirmed. You must either type 'yes' when prompted, or set ``confirm_deprovision=yes``. + delegate_to: localhost + run_once: true - name: Get PXE MAC address command: > diff --git a/releasenotes/notes/bug-2115037-f2ed2a4994511832.yaml b/releasenotes/notes/bug-2115037-f2ed2a4994511832.yaml new file mode 100644 index 000000000..5031882db --- /dev/null +++ b/releasenotes/notes/bug-2115037-f2ed2a4994511832.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + Fixes the user prompt for deprovisioning multiple overcloud hosts at once. + Previously, the prompt would only confirm deprovisioning for one host. It + will now correctly apply to all hosts that have been targeted. + `LP#2115037 `__ From 7dbe61a12af8161e4d8fea2b5b31dcdbdd1608e4 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Mon, 23 Jun 2025 18:53:35 +0200 Subject: [PATCH 031/187] Fix markup and wording for release note Change-Id: I8a0c9a7c195c259378cb0b7b4e01434394ab10ae --- .../notes/make-bifrost-optional-32d89388cb2e578e.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/releasenotes/notes/make-bifrost-optional-32d89388cb2e578e.yaml b/releasenotes/notes/make-bifrost-optional-32d89388cb2e578e.yaml index 296146988..5530896bb 100644 --- a/releasenotes/notes/make-bifrost-optional-32d89388cb2e578e.yaml +++ b/releasenotes/notes/make-bifrost-optional-32d89388cb2e578e.yaml @@ -1,5 +1,5 @@ --- features: - | - Add `kolla_enable_bifrost` to make deploying Bifrost optional. It - defaults to `true` maintaining the current behavior. + Adds the ``kolla_enable_bifrost`` variable to make deploying Bifrost + optional. It defaults to ``true``, maintaining the current behavior. From 4007b0ee240904c83b908baa50a0003906f81876 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Tue, 24 Jun 2025 17:56:41 +0200 Subject: [PATCH 032/187] Bump dellemc.os10 to 1.2.7 This resolves an issue with applying some configuration blocks. Closes-Bug: #2115121 Change-Id: I3937cb29143f3b9965032c186e8086854de7fbef Signed-off-by: Pierre Riteau --- .../notes/bump-dellemc-os10-1.2.7-0107ff39718372c5.yaml | 6 ++++++ requirements.yml | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/bump-dellemc-os10-1.2.7-0107ff39718372c5.yaml diff --git a/releasenotes/notes/bump-dellemc-os10-1.2.7-0107ff39718372c5.yaml b/releasenotes/notes/bump-dellemc-os10-1.2.7-0107ff39718372c5.yaml new file mode 100644 index 000000000..2d3188783 --- /dev/null +++ b/releasenotes/notes/bump-dellemc-os10-1.2.7-0107ff39718372c5.yaml @@ -0,0 +1,6 @@ +--- +upgrade: + - | + Bumps the ``dellemc.os10`` collection to version 1.2.7. This resolves an + issue with applying some configuration blocks. + `LP#2115121 `__ diff --git a/requirements.yml b/requirements.yml index 4d9250ad0..c379f0417 100644 --- a/requirements.yml +++ b/requirements.yml @@ -6,7 +6,7 @@ collections: - name: community.docker version: 3.11.0 - name: dellemc.os10 - version: 1.1.1 + version: 1.2.7 - name: nvidia.nvue version: 1.2.6 - name: openstack.cloud From 9fdae13f403955e2ac4c5abdbb9c8d7912fc7124 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 25 Jun 2025 08:03:46 +0200 Subject: [PATCH 033/187] Fix typo Change-Id: Idbcca8a104a86cdfb609434a917811e7fc2401da --- doc/source/configuration/reference/hosts.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/configuration/reference/hosts.rst b/doc/source/configuration/reference/hosts.rst index 9e06722e3..b8a79132d 100644 --- a/doc/source/configuration/reference/hosts.rst +++ b/doc/source/configuration/reference/hosts.rst @@ -518,7 +518,7 @@ Development tools | ``dev-tools`` Development tools (additional OS packages) can be configured to be installed -on hosts. By default Ddvelopment tools are installed on all +on hosts. By default development tools are installed on all ``seed-hypervisor``, ``seed``, ``overcloud`` and ``infra-vms`` hosts. The following variables can be used to set which packages to install: From 36e7a7b0d0441413913406a68d886248838f794c Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 25 Jun 2025 08:29:58 +0200 Subject: [PATCH 034/187] Support empty strings in dev-tools package lists Closes-Bug: #2115000 Change-Id: Ib27428f89b0e3f2865ab1c498f05de741fa49587 Signed-off-by: Pierre Riteau --- ansible/roles/dev-tools/defaults/main.yml | 2 +- .../dev-tools-packages-select-filter-17f432df42762625.yaml | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/dev-tools-packages-select-filter-17f432df42762625.yaml diff --git a/ansible/roles/dev-tools/defaults/main.yml b/ansible/roles/dev-tools/defaults/main.yml index b2f843617..adeac39e1 100644 --- a/ansible/roles/dev-tools/defaults/main.yml +++ b/ansible/roles/dev-tools/defaults/main.yml @@ -15,4 +15,4 @@ dev_tools_packages_system: - acl # List of packages to install. -dev_tools_packages: "{{ dev_tools_packages_default + dev_tools_packages_extra + dev_tools_packages_system }}" +dev_tools_packages: "{{ (dev_tools_packages_default + dev_tools_packages_extra + dev_tools_packages_system) | select | list }}" diff --git a/releasenotes/notes/dev-tools-packages-select-filter-17f432df42762625.yaml b/releasenotes/notes/dev-tools-packages-select-filter-17f432df42762625.yaml new file mode 100644 index 000000000..255cc8301 --- /dev/null +++ b/releasenotes/notes/dev-tools-packages-select-filter-17f432df42762625.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + Fixes support for empty strings in the ``dev-tools`` package lists. This + allows using expressions such as ``{{ 'foo' if os_distribution == 'rocky' + else '' }}``. + `LP#2115000 `__ From b67587ef6fc18aa5b4abba8eae980b740b21f18e Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 3 Jul 2025 09:57:27 +0200 Subject: [PATCH 035/187] CI: Make rocky9 VM jobs non-voting These jobs are broken due to a missing cirros image from cache [1]. [1] https://review.opendev.org/c/opendev/zuul-providers/+/953908 Change-Id: Ic19aee58748e088e6d68a476ed82e48e5b186822 Signed-off-by: Pierre Riteau --- zuul.d/project.yaml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 41ab5542a..742a860ae 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -24,11 +24,14 @@ - kayobe-seed-images-rocky9 - kayobe-seed-upgrade-rocky9 - kayobe-seed-upgrade-ubuntu-noble - - kayobe-seed-vm-rocky9 - - kayobe-seed-vm-rocky9-efi + - kayobe-seed-vm-rocky9: + voting: false + - kayobe-seed-vm-rocky9-efi: + voting: false - kayobe-seed-vm-ubuntu-noble - kayobe-seed-vm-ubuntu-noble-efi - - kayobe-infra-vm-rocky9 + - kayobe-infra-vm-rocky9: + voting: false - kayobe-infra-vm-ubuntu-noble gate: jobs: @@ -46,9 +49,7 @@ - kayobe-seed-ubuntu-noble-podman - kayobe-seed-upgrade-rocky9 - kayobe-seed-upgrade-ubuntu-noble - - kayobe-seed-vm-rocky9 - kayobe-seed-vm-ubuntu-noble - - kayobe-infra-vm-rocky9 - kayobe-infra-vm-ubuntu-noble experimental: From 1372a7b01e1b4022f486aba01f4010efc724ada8 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 3 Jul 2025 12:25:42 +0200 Subject: [PATCH 036/187] junos-switch: Fix junos_config call The junos_config module dropped support for the provider parameter and for connection: local [1]. Apply a similar to fix to the Arista one [2]. [1] https://github.com/ansible-collections/junipernetworks.junos/pull/333 [2] https://review.opendev.org/c/openstack/kayobe/+/922631 Closes-Bug: #2111341 Change-Id: I531862fa9bebb8ef8ee900457278e0959dbe66cc Signed-off-by: Pierre Riteau --- .../inventory/group_vars/all/switches/junos | 19 ------------------- ansible/physical-network.yml | 1 - ansible/roles/junos-switch/README.md | 19 ++++--------------- ansible/roles/junos-switch/defaults/main.yml | 3 --- ansible/roles/junos-switch/tasks/main.yml | 4 +--- .../reference/physical-network.rst | 14 ++------------ .../notes/bug-2111341-706fe5689414a9c1.yaml | 15 +++++++++++++++ 7 files changed, 22 insertions(+), 53 deletions(-) create mode 100644 releasenotes/notes/bug-2111341-706fe5689414a9c1.yaml diff --git a/ansible/inventory/group_vars/all/switches/junos b/ansible/inventory/group_vars/all/switches/junos index d833c2937..df82bb48c 100644 --- a/ansible/inventory/group_vars/all/switches/junos +++ b/ansible/inventory/group_vars/all/switches/junos @@ -1,28 +1,9 @@ --- # Switch configuration. -############################################################################### -# Authentication configuration. - -# For Juniper switches, this defines a 'provider' argument to the junos_* -# modules. -switch_junos_provider: - host: "{{ ansible_host|default(inventory_hostname) }}" - username: "{{ ansible_user }}" - password: "{{ ansible_ssh_pass|default(omit) }}" - ssh_keyfile: "{{ ansible_ssh_private_key_file|default(omit) }}" - timeout: "{{ switch_junos_timeout }}" - ############################################################################### # Configuration format. # Format of configuration in junos_switch_config and # junos_switch_interface_config. May be one of 'set', 'text' or 'json'. switch_junos_config_format: text - -############################################################################### -# Timeout. - -# Timeout in seconds for communicating with the network device either for -# connecting or sending commands. -switch_junos_timeout: 10 diff --git a/ansible/physical-network.yml b/ansible/physical-network.yml index f3bfaf00f..3361301c4 100644 --- a/ansible/physical-network.yml +++ b/ansible/physical-network.yml @@ -173,7 +173,6 @@ - role: junos-switch junos_switch_type: "{{ switch_type }}" - junos_switch_provider: "{{ switch_junos_provider }}" junos_switch_config_format: "{{ switch_junos_config_format }}" junos_switch_config: "{{ switch_config }}" junos_switch_interface_config: "{{ switch_interface_config }}" diff --git a/ansible/roles/junos-switch/README.md b/ansible/roles/junos-switch/README.md index ed0652dfc..fa7604883 100644 --- a/ansible/roles/junos-switch/README.md +++ b/ansible/roles/junos-switch/README.md @@ -1,10 +1,10 @@ JunOS Switch ============ -This role configures Juniper switches using the `junos` Ansible modules. It -provides a fairly minimal abstraction of the configuration interface provided -by the `junos` modules, allowing for application of arbitrary switch -configuration options. +This role configures Juniper switches using the `junipernetworks.junos` Ansible +collection. It provides a fairly minimal abstraction of the configuration +interface provided by the collection, allowing for application of arbitrary +switch configuration options. Requirements ------------ @@ -14,12 +14,6 @@ The switches should be configured to allow access to NETCONF via SSH. Role Variables -------------- -`junos_switch_delegate_to` is the host on which to execute the `junos` Ansible -modules. - -`junos_switch_provider` is authentication provider information passed as the -`provider` argument to the `junos` modules. - `junos_switch_config_format` is the format of configuration in `junos_switch_config` and `junos_switch_interface_config`. May be one of `set`, `text` or `json`. @@ -53,11 +47,6 @@ passwords. It applies global configuration for LLDP, and enables two gather_facts: no roles: - role: junos-switch - junos_switch_delegate_to: localhost - junos_switch_provider: - host: "{{ switch_host }}" - username: "{{ switch_user }}" - password: "{{ switch_password }}" junos_switch_config: - "protocols {" - " lldp {" diff --git a/ansible/roles/junos-switch/defaults/main.yml b/ansible/roles/junos-switch/defaults/main.yml index 09da1a600..8df0d41fb 100644 --- a/ansible/roles/junos-switch/defaults/main.yml +++ b/ansible/roles/junos-switch/defaults/main.yml @@ -1,7 +1,4 @@ --- -# Authentication provider information. -junos_switch_provider: - # Format of configuration in junos_switch_config and # junos_switch_interface_config. May be one of 'set', 'text' or 'json'. junos_switch_config_format: text diff --git a/ansible/roles/junos-switch/tasks/main.yml b/ansible/roles/junos-switch/tasks/main.yml index c06a377a0..d5fea0cce 100644 --- a/ansible/roles/junos-switch/tasks/main.yml +++ b/ansible/roles/junos-switch/tasks/main.yml @@ -15,9 +15,7 @@ run_once: true - name: Ensure Juniper switches are configured - local_action: - module: junos_config - provider: "{{ junos_switch_provider }}" + junos_config: src: "{{ junos_switch_src }}" src_format: "{{ junos_switch_config_format }}" vars: diff --git a/doc/source/configuration/reference/physical-network.rst b/doc/source/configuration/reference/physical-network.rst index e0e69cc18..d1bbf8999 100644 --- a/doc/source/configuration/reference/physical-network.rst +++ b/doc/source/configuration/reference/physical-network.rst @@ -293,24 +293,14 @@ module. configuration. The variable is passed as the ``src_format`` argument to the ``junos_config`` module. The default value is ``text``. -Provider -^^^^^^^^ - * ``ansible_host`` is the hostname or IP address. Optional. - * ``ansible_user`` is the SSH username. - * ``ansible_ssh_pass`` is the SSH password. Mutually exclusive with ``ansible_ssh_private_key_file``. - * ``ansible_ssh_private_key_file`` is the SSH private key file. Mutually exclusive with ``ansible_ssh_pass``. - -* ``switch_junos_timeout`` may be set to a timeout in seconds for communicating - with the device. - -Alternatively, set ``switch_junos_provider`` to the value to be passed as the -``provider`` argument to the ``junos_config`` module. +* ``ansible_connection`` should be ``ansible.netcommon.netconf``. +* ``ansible_network_os`` should be ``junipernetworks.junos.junos``. Mellanox MLNX OS ---------------- diff --git a/releasenotes/notes/bug-2111341-706fe5689414a9c1.yaml b/releasenotes/notes/bug-2111341-706fe5689414a9c1.yaml new file mode 100644 index 000000000..fee46a379 --- /dev/null +++ b/releasenotes/notes/bug-2111341-706fe5689414a9c1.yaml @@ -0,0 +1,15 @@ +--- +upgrade: + - | + Deployments using Juniper Junos OS switches are required to update their + configuration according to `Juniper Junos OS documentation + `_. + This is due to the ``junos_config`` module dropping support for the + ``provider`` parameter. +fixes: + - | + Fixes physical network configuration for Juniper Junos OS switches. + Note that users are required to update their configuration according to + `Juniper Junos OS documentation + `_. + `LP#2111341 `__ From 4051b0cac06e5910ee88e782e70fed19b90b5cd7 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 3 Jul 2025 12:42:44 +0200 Subject: [PATCH 037/187] CI: Remove installation of catatonit This is now provided by ansible-collection-kolla directly [1]. [1] https://review.opendev.org/c/openstack/ansible-collection-kolla/+/952910 Change-Id: I9ebba113bd734d8e100653fdaab206d846033258 Signed-off-by: Pierre Riteau --- playbooks/kayobe-seed-base/overrides.yml.j2 | 7 ------- 1 file changed, 7 deletions(-) diff --git a/playbooks/kayobe-seed-base/overrides.yml.j2 b/playbooks/kayobe-seed-base/overrides.yml.j2 index 16374cd19..2c4c6213f 100644 --- a/playbooks/kayobe-seed-base/overrides.yml.j2 +++ b/playbooks/kayobe-seed-base/overrides.yml.j2 @@ -63,10 +63,3 @@ seed_containers: node_exporter: image: "quay.io/prometheus/node-exporter" tag: "latest" - -{% if ansible_os_family == "Debian" %} -# TODO(priteau): Required for running some containers on Ubuntu + Podman. -# Remove once installed by ansible-collection-kolla. -dev_tools_packages_extra: - - "catatonit" -{% endif %} From 5e9b7738fcc00c1c4750b88b7b5a39c1f4437959 Mon Sep 17 00:00:00 2001 From: Alex-Welsh Date: Tue, 8 Jul 2025 13:58:19 +0100 Subject: [PATCH 038/187] Enable building of neutron-bgp-dragent container Change-Id: Iebd91d92c603efeaac94cebf009036873dd97093 Signed-off-by: Alex Welsh --- ansible/inventory/group_vars/all/kolla | 3 +++ .../notes/build-neutron-bgp-dragent-a6b28ce7e22d8145.yaml | 5 +++++ 2 files changed, 8 insertions(+) create mode 100644 releasenotes/notes/build-neutron-bgp-dragent-a6b28ce7e22d8145.yaml diff --git a/ansible/inventory/group_vars/all/kolla b/ansible/inventory/group_vars/all/kolla index e0e4c949e..1bf0d52a6 100644 --- a/ansible/inventory/group_vars/all/kolla +++ b/ansible/inventory/group_vars/all/kolla @@ -210,6 +210,8 @@ overcloud_container_image_regex_map: enabled: "{{ kolla_enable_neutron | bool }}" - regex: "neutron-\\(dhcp\\|l3\\|linuxbridge\\|openvswitch\\)-agent" enabled: "{{ kolla_build_neutron_ovs | default(kolla_enable_neutron | bool and not kolla_enable_ovn | bool) }}" + - regex: neutron-bgp-dragent + enabled: "{{ kolla_enable_neutron_bgp_dragent | bool }}" - regex: neutron-mlnx-agent enabled: "{{ kolla_enable_neutron_mlnx | bool }}" - regex: neutron-ovn-agent @@ -556,6 +558,7 @@ kolla_enable_manila: "no" kolla_enable_masakari: "no" kolla_enable_mistral: "no" kolla_enable_multipathd: "no" +kolla_enable_neutron_bgp_dragent: "no" kolla_enable_neutron_mlnx: "no" kolla_enable_neutron_provider_networks: "no" kolla_enable_neutron_sriov: "no" diff --git a/releasenotes/notes/build-neutron-bgp-dragent-a6b28ce7e22d8145.yaml b/releasenotes/notes/build-neutron-bgp-dragent-a6b28ce7e22d8145.yaml new file mode 100644 index 000000000..cfe93cbda --- /dev/null +++ b/releasenotes/notes/build-neutron-bgp-dragent-a6b28ce7e22d8145.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + The ``neutron-bgp-dragent`` container will now be built by default when + ``kolla_enable_neutron_bgp_dragent`` is true. From 9d3bf1417e21610f17d8843048df51a475aff2ac Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Wed, 16 Jul 2025 15:50:49 +0200 Subject: [PATCH 039/187] Add network group to tls-backend In case of a deployment utilising network nodes the backend TLS configuration is missing on network nodes. Closes-Bug: #2117084 Change-Id: Ie5247cbcc81388d67707b0772ae00fda8ab7262b Signed-off-by: Michal Nasiadka --- .../roles/kolla-ansible/templates/overcloud-components.j2 | 1 + releasenotes/notes/bug-2117084-8d1eaa375df1d1f8.yaml | 6 ++++++ 2 files changed, 7 insertions(+) create mode 100644 releasenotes/notes/bug-2117084-8d1eaa375df1d1f8.yaml diff --git a/ansible/roles/kolla-ansible/templates/overcloud-components.j2 b/ansible/roles/kolla-ansible/templates/overcloud-components.j2 index 0ef0a176c..88781653f 100644 --- a/ansible/roles/kolla-ansible/templates/overcloud-components.j2 +++ b/ansible/roles/kolla-ansible/templates/overcloud-components.j2 @@ -15,6 +15,7 @@ bifrost [tls-backend:children] control +network # You can explicitly specify which hosts run each project by updating the # groups in the sections below. Common services are grouped together. diff --git a/releasenotes/notes/bug-2117084-8d1eaa375df1d1f8.yaml b/releasenotes/notes/bug-2117084-8d1eaa375df1d1f8.yaml new file mode 100644 index 000000000..1e275e202 --- /dev/null +++ b/releasenotes/notes/bug-2117084-8d1eaa375df1d1f8.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fixes configuration of backend TLS when network nodes are separate from + controllers. + `LP#2117084 `__ From 28dadfbce180192fc197caa65c943140190e485e Mon Sep 17 00:00:00 2001 From: Matt Anson Date: Thu, 24 Jul 2025 12:36:23 +0100 Subject: [PATCH 040/187] Bump jriguera.configdrive to latest master commit This resolves an issue where incorrect network-data.json would be generated when interfaces without IP addresses were attached to infrastructure VMs. Closes-Bug: #2118403 Change-Id: I8698e0b0fa01c84318e16a5e61f698ad36996a7f Signed-off-by: Matt Anson --- .../notes/bump-jriguera-configdrive-e01c6f347507ee6f.yaml | 7 +++++++ requirements.yml | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/bump-jriguera-configdrive-e01c6f347507ee6f.yaml diff --git a/releasenotes/notes/bump-jriguera-configdrive-e01c6f347507ee6f.yaml b/releasenotes/notes/bump-jriguera-configdrive-e01c6f347507ee6f.yaml new file mode 100644 index 000000000..599dab288 --- /dev/null +++ b/releasenotes/notes/bump-jriguera-configdrive-e01c6f347507ee6f.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + Fixes an issue where incorrect network-data.json would + be generated when interfaces without IP addresses are + attached to infrastructure VMs. + `LP#2118403 `__ diff --git a/requirements.yml b/requirements.yml index c379f0417..d51d5eeb8 100644 --- a/requirements.yml +++ b/requirements.yml @@ -25,7 +25,7 @@ roles: version: 1.1.1 - src: jriguera.configdrive # There are no versioned releases of this role. - version: acd08fd126d0e442ab8b3bc518e37761390d8c2f + version: 313c9b0ff8cd8009471380ccd71b27b440ac6704 - src: MichaelRigart.interfaces version: v1.15.5 - src: mrlesmithjr.chrony From 9b5e605a3982745637d7205689f744eb6411b694 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 24 Jul 2025 17:48:52 +0200 Subject: [PATCH 041/187] CI: Switch from td-agent to fluent-package (LTS) This mirrors what was done in Kolla images [1] and may be a more stable repository. Also fix an outdated comment. [1] https://review.opendev.org/c/openstack/kolla/+/894948 Change-Id: I953b168240edc88e9248a7a1b353d318aa09853c Signed-off-by: Pierre Riteau --- .../overrides.yml.j2 | 6 +++--- .../tests/test_overcloud_host_configure.py | 10 +++++----- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 index 91bb0a0db..62b316e46 100644 --- a/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 +++ b/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 @@ -146,7 +146,7 @@ apt_repositories: suites: noble-security components: main universe # Treasuredata repository. - - url: http://packages.treasuredata.com/5/ubuntu/noble/ + - url: https://packages.treasuredata.com/lts/5/ubuntu/noble components: contrib signed_by: td-agent.asc apt_preferences: @@ -178,8 +178,8 @@ dnf_epel_mirror_host: "{{ zuul_site_mirror_fqdn }}" dnf_epel_mirror_directory: 'epel' # Configure a custom DNF repository. dnf_custom_repos: - td-agent: - baseurl: http://packages.treasuredata.com/4/redhat/$releasever/$basearch + fluent-package: + baseurl: https://packages.treasuredata.com/lts/5/redhat/$releasever/$basearch gpgkey: https://packages.treasuredata.com/GPG-KEY-td-agent gpgcheck: yes # Install EPEL local mirror. diff --git a/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py b/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py index 6c10068fe..8dc5d1bae 100644 --- a/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py +++ b/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py @@ -229,8 +229,8 @@ def test_apt_preferences(host): @pytest.mark.skipif(not _is_apt(), reason="Apt only supported on Ubuntu") def test_apt_custom_package_repository_is_available(host): with host.sudo(): - host.check_output("apt -y install td-agent") - assert host.package("td-agent").is_installed + host.check_output("apt -y install fluent-package") + assert host.package("fluent-package").is_installed @pytest.mark.skipif(not _is_apt(), reason="Apt only supported on Ubuntu") @@ -246,7 +246,7 @@ def test_apt_auth(host): @pytest.mark.parametrize('repo', ["appstream", "baseos", "extras", "epel"]) @pytest.mark.skipif(not _is_dnf_mirror(), - reason="DNF OpenDev mirror only for CentOS 8") + reason="DNF OpenDev mirror only for CentOS Stream 9") def test_dnf_local_package_mirrors(host, repo): # Depends on SITE_MIRROR_FQDN environment variable. assert os.getenv('SITE_MIRROR_FQDN') @@ -261,8 +261,8 @@ def test_dnf_local_package_mirrors(host, repo): @pytest.mark.skipif(not _is_dnf(), reason="DNF only supported on CentOS/Rocky") def test_dnf_custom_package_repository_is_available(host): with host.sudo(): - host.check_output("dnf -y install td-agent") - assert host.package("td-agent").is_installed + host.check_output("dnf -y install fluent-package") + assert host.package("fluent-package").is_installed @pytest.mark.skipif(not _is_dnf(), reason="DNF only supported on CentOS/Rocky") From d213dbaff5b1fcea72ee834549be2b73cb444a51 Mon Sep 17 00:00:00 2001 From: Bartosz Bezak Date: Mon, 4 Aug 2025 16:05:04 +0200 Subject: [PATCH 042/187] use current debian version supported by kolla Change-Id: Id7fdbd3871e4385455767cb14fb167140ee0d55d Signed-off-by: Bartosz Bezak --- ansible/inventory/group_vars/all/kolla | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/inventory/group_vars/all/kolla b/ansible/inventory/group_vars/all/kolla index 1bf0d52a6..9b63291b7 100644 --- a/ansible/inventory/group_vars/all/kolla +++ b/ansible/inventory/group_vars/all/kolla @@ -64,7 +64,7 @@ kolla_base_distro: "{{ os_distribution }}" # Defines default versions for each distribution. kolla_base_distro_version_default_map: { "centos": "stream9", - "debian": "bullseye", + "debian": "bookworm", "rocky": "9", "ubuntu": "noble", } From 24b975fe028deb3161463032ff6d4e13f740d3e8 Mon Sep 17 00:00:00 2001 From: Bartosz Bezak Date: Thu, 10 Jul 2025 12:33:41 +0200 Subject: [PATCH 043/187] public-openrc: avoid duplicate OS_CACERT Skip the admin OS_CACERT line when rendering public-openrc. Recent change [1] introduced that. It occurs only when both admin and public cacert variables are set. [1] https://review.opendev.org/c/openstack/kayobe/+/949624 Closes-Bug: #2116318 Change-Id: I29c0c6bf77e919940c3452b1f5d219462552cdff Signed-off-by: Bartosz Bezak --- ansible/roles/public-openrc/templates/public-openrc.sh.j2 | 2 ++ releasenotes/notes/bug-2116318-44f0c022cde1e686.yaml | 6 ++++++ 2 files changed, 8 insertions(+) create mode 100644 releasenotes/notes/bug-2116318-44f0c022cde1e686.yaml diff --git a/ansible/roles/public-openrc/templates/public-openrc.sh.j2 b/ansible/roles/public-openrc/templates/public-openrc.sh.j2 index d11c795dd..49225fc60 100644 --- a/ansible/roles/public-openrc/templates/public-openrc.sh.j2 +++ b/ansible/roles/public-openrc/templates/public-openrc.sh.j2 @@ -11,6 +11,8 @@ export OS_ENDPOINT_TYPE=publicURL export OS_MANILA_ENDPOINT_TYPE=publicURL {% elif "export OS_MISTRAL_ENDPOINT_TYPE" in line %} export OS_MISTRAL_ENDPOINT_TYPE=publicURL +{% elif "export OS_CACERT" in line %} +{# NOTE(bbezak): drop admin OS_CACERT; public-openrc sets its own. -#} {% else %} {{ line }} {% endif %} diff --git a/releasenotes/notes/bug-2116318-44f0c022cde1e686.yaml b/releasenotes/notes/bug-2116318-44f0c022cde1e686.yaml new file mode 100644 index 000000000..8851717e4 --- /dev/null +++ b/releasenotes/notes/bug-2116318-44f0c022cde1e686.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fixes duplicate ``OS_CACERT`` lines in ``public-openrc.sh`` when both admin + and public cacert variables are set. + `LP#2116318 `__ From d4109924c4115c462bfab0b82fb03d0266f5e272 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 7 Aug 2025 14:53:40 +0200 Subject: [PATCH 044/187] Fix version of EPEL GPG key This is only an issue when dnf_use_local_mirror is true. Closes-Bug: #2119921 Change-Id: I55e703dcf67e556dd97289a58b8720511b60355b Signed-off-by: Pierre Riteau --- ansible/roles/dnf/templates/epel.repo.j2 | 6 +++--- releasenotes/notes/bug-2119921-b23dc13147e6bda4.yaml | 6 ++++++ 2 files changed, 9 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/bug-2119921-b23dc13147e6bda4.yaml diff --git a/ansible/roles/dnf/templates/epel.repo.j2 b/ansible/roles/dnf/templates/epel.repo.j2 index 0c924f239..ad5d8c774 100644 --- a/ansible/roles/dnf/templates/epel.repo.j2 +++ b/ansible/roles/dnf/templates/epel.repo.j2 @@ -3,14 +3,14 @@ name=Extra Packages for Enterprise Linux $releasever - $basearch baseurl=http://{{ dnf_epel_mirror_host }}/{{ dnf_epel_mirror_directory }}/$releasever/Everything/$basearch enabled=1 gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-{{ ansible_facts.distribution_major_version }} fastestmirror=0 [epel-debuginfo] name=Extra Packages for Enterprise Linux $releasever - $basearch - Debug baseurl=http://{{ dnf_epel_mirror_host }}/{{ dnf_epel_mirror_directory }}/$releasever/Everything/$basearch/debug enabled=0 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-{{ ansible_facts.distribution_major_version }} gpgcheck=1 fastestmirror=0 @@ -18,6 +18,6 @@ fastestmirror=0 name=Extra Packages for Enterprise Linux $releasever - $basearch - Source baseurl=http://{{ dnf_epel_mirror_host }}/{{ dnf_epel_mirror_directory }}/$releasever/Everything/SRPMS enabled=0 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-{{ ansible_facts.distribution_major_version }} gpgcheck=1 fastestmirror=0 diff --git a/releasenotes/notes/bug-2119921-b23dc13147e6bda4.yaml b/releasenotes/notes/bug-2119921-b23dc13147e6bda4.yaml new file mode 100644 index 000000000..cdc21b1cc --- /dev/null +++ b/releasenotes/notes/bug-2119921-b23dc13147e6bda4.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fixes wrong name of ``gpgkey`` used for EPEL repositories when + ``dnf_use_local_mirror`` is enabled. + `LP#2119921 `__ From e30333940f6215740b22f987a50ad191e876b7d2 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 11 Jul 2025 09:31:52 +0200 Subject: [PATCH 045/187] Fix known_hosts module issue on centos/rocky 10 The known_hosts module returns a failure on centos/rocky 10 when given a comment line from ssh-keyscan output. Fix by excluding them with grep. Change-Id: I29e7e8a7480009fd359b8aa8b867b11900109f00 Signed-off-by: Pierre Riteau --- ansible/roles/bootstrap/tasks/main.yml | 4 +++- ansible/roles/ssh-known-host/tasks/main.yml | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ansible/roles/bootstrap/tasks/main.yml b/ansible/roles/bootstrap/tasks/main.yml index f5a1e1b4f..ee673a204 100644 --- a/ansible/roles/bootstrap/tasks/main.yml +++ b/ansible/roles/bootstrap/tasks/main.yml @@ -61,8 +61,10 @@ user: "{{ ansible_facts.user_id }}" key: "{{ lookup('file', bootstrap_ssh_private_key_path ~ '.pub') }}" +# NOTE(priteau): Exclude comments from ssh-keyscan output because they break +# known_hosts on centos/rocky 10. - name: Scan for SSH keys - command: ssh-keyscan {{ item }} + shell: ssh-keyscan {{ item }} | grep -v '^#' with_items: - localhost - 127.0.0.1 diff --git a/ansible/roles/ssh-known-host/tasks/main.yml b/ansible/roles/ssh-known-host/tasks/main.yml index 2f850a089..a59ceffc1 100644 --- a/ansible/roles/ssh-known-host/tasks/main.yml +++ b/ansible/roles/ssh-known-host/tasks/main.yml @@ -13,9 +13,11 @@ vm provision' and 'kayobe overcloud inventory discover'. when: not ansible_host | default(inventory_hostname) +# NOTE(priteau): Exclude comments from ssh-keyscan output because they break +# known_hosts on centos/rocky 10. - name: Scan for SSH keys local_action: - module: command ssh-keyscan {{ item }} + module: shell ssh-keyscan {{ item }} | grep -v '^#' with_items: - "{{ ansible_host | default(inventory_hostname) }}" register: keyscan_result From fb259e9287670efb614d7ae45f5aaa74e87cbb4f Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Tue, 19 Aug 2025 15:52:01 +0200 Subject: [PATCH 046/187] CI: Move failing job to experimental queue The kayobe-seed-images-rocky9 job is currently failing during IPA build: qemu-img: error while reading at byte 6186729472: Input/output error Move it to the experimental queue for now. Change-Id: Ib20bd2c60093f16dec1a663f0ddac4ac8bb464d8 Signed-off-by: Pierre Riteau --- zuul.d/project.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 742a860ae..43dba5560 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -21,7 +21,6 @@ - kayobe-seed-rocky9-podman - kayobe-seed-ubuntu-noble - kayobe-seed-ubuntu-noble-podman - - kayobe-seed-images-rocky9 - kayobe-seed-upgrade-rocky9 - kayobe-seed-upgrade-ubuntu-noble - kayobe-seed-vm-rocky9: @@ -61,6 +60,7 @@ - kayobe-overcloud-tls-rocky9 - kayobe-overcloud-upgrade-rocky9 - kayobe-seed-images-centos9s + - kayobe-seed-images-rocky9 - kayobe-seed-images-rocky9-podman - kayobe-seed-images-ubuntu-noble - kayobe-seed-images-ubuntu-noble-podman From a4a86f34102fad7e8134605565a997b9cf512ea9 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Tue, 19 Aug 2025 18:03:25 +0200 Subject: [PATCH 047/187] Synchronise neutron groups with kolla-ansible This is required following the switch to uWSGI [1]. [1] https://review.opendev.org/c/openstack/kolla-ansible/+/956785 Change-Id: Ic95d230141047d7222bcb156c78baba573d1ac5a Signed-off-by: Pierre Riteau --- .../templates/overcloud-services.j2 | 35 ++++++++++++------- 1 file changed, 22 insertions(+), 13 deletions(-) diff --git a/ansible/roles/kolla-ansible/templates/overcloud-services.j2 b/ansible/roles/kolla-ansible/templates/overcloud-services.j2 index 7d9777e88..7fedcb915 100644 --- a/ansible/roles/kolla-ansible/templates/overcloud-services.j2 +++ b/ansible/roles/kolla-ansible/templates/overcloud-services.j2 @@ -88,38 +88,47 @@ nova {% endif %} # Neutron -[neutron-server:children] -control - -[neutron-dhcp-agent:children] +[ironic-neutron-agent:children] neutron -[neutron-l3-agent:children] +[neutron-bgp-dragent:children] neutron -[neutron-metadata-agent:children] +[neutron-dhcp-agent:children] neutron -[neutron-ovn-metadata-agent:children] -compute -network +[neutron-infoblox-ipam-agent:children] +neutron -[neutron-bgp-dragent:children] +[neutron-l3-agent:children] neutron -[neutron-infoblox-ipam-agent:children] +[neutron-metadata-agent:children] neutron [neutron-metering-agent:children] neutron -[ironic-neutron-agent:children] -neutron +[neutron-periodic-worker:children] +control + +[neutron-rpc-server:children] +control + +[neutron-server:children] +control [neutron-ovn-agent:children] compute network +[neutron-ovn-maintenance-worker:children] +control + +[neutron-ovn-metadata-agent:children] +compute +network + # Cinder [cinder-api:children] cinder From 243661a925df502151c2c0c0cf720985833e9d11 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Tue, 19 Aug 2025 10:59:37 +0100 Subject: [PATCH 048/187] Adds selinux_update_kernel_param This is useful if the selinux kernel command line option is set in Grub config. Change-Id: I07c38a3c1815198bde164ad7146e1d1dcaac2cd8 Signed-off-by: Will Szumski --- ansible/roles/selinux/defaults/main.yml | 5 +++++ ansible/roles/selinux/tasks/main.yml | 1 + doc/source/configuration/reference/hosts.rst | 3 +++ .../adds-selinux-update-kernel-param-0f162ec4d55566e8.yaml | 5 +++++ 4 files changed, 14 insertions(+) create mode 100644 releasenotes/notes/adds-selinux-update-kernel-param-0f162ec4d55566e8.yaml diff --git a/ansible/roles/selinux/defaults/main.yml b/ansible/roles/selinux/defaults/main.yml index 80481b39f..8966e67f3 100644 --- a/ansible/roles/selinux/defaults/main.yml +++ b/ansible/roles/selinux/defaults/main.yml @@ -11,3 +11,8 @@ selinux_do_reboot: false # Number of seconds to wait for hosts to become accessible via SSH after being # rebooted. selinux_reboot_timeout: + +# Whether or not to update the selinux kernel parameter. Can be useful if you +# have selinux= set on the kernel command line. Default is to use +# the module default. +selinux_update_kernel_param: "{{ omit }}" diff --git a/ansible/roles/selinux/tasks/main.yml b/ansible/roles/selinux/tasks/main.yml index 2e375d5a3..43551d998 100644 --- a/ansible/roles/selinux/tasks/main.yml +++ b/ansible/roles/selinux/tasks/main.yml @@ -16,6 +16,7 @@ selinux: policy: "{{ selinux_policy }}" state: "{{ selinux_state }}" + update_kernel_param: "{{ selinux_update_kernel_param }}" register: selinux_result vars: ansible_python_interpreter: /usr/bin/python3 diff --git a/doc/source/configuration/reference/hosts.rst b/doc/source/configuration/reference/hosts.rst index b8a79132d..6b08e84ab 100644 --- a/doc/source/configuration/reference/hosts.rst +++ b/doc/source/configuration/reference/hosts.rst @@ -560,6 +560,9 @@ the SELinux configuration. The timeout for waiting for systems to reboot is ``selinux_reboot_timeout``. Alternatively, the reboot may be avoided by setting ``selinux_do_reboot`` to ``false``. +The ``selinux_update_kernel_param`` variable can be used to change the selinux +state set on the kernel command line; it takes a boolean value. + Network Configuration ===================== *tags:* diff --git a/releasenotes/notes/adds-selinux-update-kernel-param-0f162ec4d55566e8.yaml b/releasenotes/notes/adds-selinux-update-kernel-param-0f162ec4d55566e8.yaml new file mode 100644 index 000000000..44bea9790 --- /dev/null +++ b/releasenotes/notes/adds-selinux-update-kernel-param-0f162ec4d55566e8.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Adds the ``selinux_update_kernel_param`` variable which controls whether + the selinux kernel command line option is updated. From 7cdf272515c38e394dd82f6698d3ddb0b4a4a0fb Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 22 Aug 2025 20:46:42 +0200 Subject: [PATCH 049/187] Revert "CI: Make rocky9 VM jobs non-voting" This reverts commit b67587ef6fc18aa5b4abba8eae980b740b21f18e. Reason for revert: cirros image should now be available. Change-Id: I743d61f9418a87d41d546e1e0db99aada4fe9726 Signed-off-by: Pierre Riteau --- zuul.d/project.yaml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 43dba5560..3da4d44e3 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -23,14 +23,11 @@ - kayobe-seed-ubuntu-noble-podman - kayobe-seed-upgrade-rocky9 - kayobe-seed-upgrade-ubuntu-noble - - kayobe-seed-vm-rocky9: - voting: false - - kayobe-seed-vm-rocky9-efi: - voting: false + - kayobe-seed-vm-rocky9 + - kayobe-seed-vm-rocky9-efi - kayobe-seed-vm-ubuntu-noble - kayobe-seed-vm-ubuntu-noble-efi - - kayobe-infra-vm-rocky9: - voting: false + - kayobe-infra-vm-rocky9 - kayobe-infra-vm-ubuntu-noble gate: jobs: @@ -48,7 +45,9 @@ - kayobe-seed-ubuntu-noble-podman - kayobe-seed-upgrade-rocky9 - kayobe-seed-upgrade-ubuntu-noble + - kayobe-seed-vm-rocky9 - kayobe-seed-vm-ubuntu-noble + - kayobe-infra-vm-rocky9 - kayobe-infra-vm-ubuntu-noble experimental: From 7c6f81bb9f85b1dad305dd2c7706015eecc09229 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Tue, 19 Aug 2025 10:34:17 +0100 Subject: [PATCH 050/187] Fix networking connectivity check with no_ip When no_ip is applied to only a subset of the hosts for a particular network, network connectivity check could fail since we only checked the source IP was properly defined and not the destination IP. This adds a check for the destination IP. Also improves the loop label for ease of debugging. Closes-Bug: #2120918 Change-Id: I107f1b2687852a04eb4a6eb7cc82f4d6690bc177 Signed-off-by: Will Szumski --- ansible/network-connectivity.yml | 13 ++++++++++--- ...y-check-with-partial-no-ip-5efcc8ed6e76267e.yaml | 6 ++++++ 2 files changed, 16 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/fix-networking-connectivity-check-with-partial-no-ip-5efcc8ed6e76267e.yaml diff --git a/ansible/network-connectivity.yml b/ansible/network-connectivity.yml index 3440ae5d5..797d0f096 100644 --- a/ansible/network-connectivity.yml +++ b/ansible/network-connectivity.yml @@ -68,9 +68,12 @@ command: > ping {{ remote_ip }} -c1 -M do {% if mtu %} -s {{ mtu | int - icmp_overhead_bytes }}{% endif %} with_items: "{{ network_interfaces }}" + loop_control: + label: "{{ remote_host }} on {{ item }}" when: - - item | net_ip - remote_hosts | length > 0 + - remote_ip | length > 0 + - item | net_ip changed_when: False vars: # Select other hosts targeted by this play which have this network @@ -83,6 +86,10 @@ rejectattr('inventory_hostname', 'equalto', inventory_hostname) | map(attribute='inventory_hostname') | list }} - remote_host: "{{ remote_hosts | random }}" - remote_ip: "{{ item | net_ip(remote_host) }}" + # NOTE(wszumski): Needed to fix random choice for the run otherwise the + # when check: remote_ip | length > 0, would pass, but remote_ip was '' + # in the command. Assumption was that this was being evaluated once + # for the when clause and then again for the command. Bug? + remote_host: "{{ remote_hosts | random(seed=ansible_facts.date_time.iso8601) }}" + remote_ip: "{{ lookup('cached', 'vars', item ~ '_ips')[remote_host] | default('', true) }}" mtu: "{{ item | net_mtu }}" diff --git a/releasenotes/notes/fix-networking-connectivity-check-with-partial-no-ip-5efcc8ed6e76267e.yaml b/releasenotes/notes/fix-networking-connectivity-check-with-partial-no-ip-5efcc8ed6e76267e.yaml new file mode 100644 index 000000000..44ee8e262 --- /dev/null +++ b/releasenotes/notes/fix-networking-connectivity-check-with-partial-no-ip-5efcc8ed6e76267e.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fixes network connectivity check when a subset of hosts have the ``no_ip`` + property set via group or host variables. + `LP#2120918 `__ From bf10d47736d51a13ccb6372184a882094d7946d9 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Tue, 26 Aug 2025 19:03:12 +0200 Subject: [PATCH 051/187] Fix markup syntax Change-Id: I8b0da4bd85aef7792ea41ef93ebf3085103c18d4 Signed-off-by: Pierre Riteau --- doc/source/administration/seed.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/administration/seed.rst b/doc/source/administration/seed.rst index 4880e5cf5..b0bf5d0d7 100644 --- a/doc/source/administration/seed.rst +++ b/doc/source/administration/seed.rst @@ -146,7 +146,7 @@ Backup Podman, simply change ``docker`` for ``sudo podman`` in the command. It should be safe to keep services running during the backup, but for maximum -safety they may optionally be stopped: +safety they may optionally be stopped:: docker exec -it bifrost_deploy systemctl stop ironic ironic-inspector From 07e87458f3905246db882c0d52a95f1e56ad40d3 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 28 Aug 2025 16:24:59 +0200 Subject: [PATCH 052/187] CI: Move failing jobs to experimental queue The Rocky Linux 9 seed jobs are failing due to the latest keystoneauth release dropping support for Python 3.9 [1], while the openstacksdk virtualenv is still created with the default Python interpreter. This will be resolved by supporting Rocky Linux 10. [1] https://review.opendev.org/c/openstack/keystoneauth/+/949008 Change-Id: I859528f0834d6679bd9d3b7d5248f0196aae5bae Signed-off-by: Pierre Riteau --- zuul.d/project.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 3da4d44e3..e3f64ace2 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -17,11 +17,8 @@ - kayobe-overcloud-host-configure-rocky9 - kayobe-overcloud-host-configure-ubuntu-noble - kayobe-overcloud-upgrade-ubuntu-noble - - kayobe-seed-rocky9 - - kayobe-seed-rocky9-podman - kayobe-seed-ubuntu-noble - kayobe-seed-ubuntu-noble-podman - - kayobe-seed-upgrade-rocky9 - kayobe-seed-upgrade-ubuntu-noble - kayobe-seed-vm-rocky9 - kayobe-seed-vm-rocky9-efi @@ -63,3 +60,6 @@ - kayobe-seed-images-rocky9-podman - kayobe-seed-images-ubuntu-noble - kayobe-seed-images-ubuntu-noble-podman + - kayobe-seed-rocky9 + - kayobe-seed-rocky9-podman + - kayobe-seed-upgrade-rocky9 From 8e54f3648f9b390e1f10d4f2259b361b0f84165a Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 29 Aug 2025 16:08:23 +0200 Subject: [PATCH 053/187] CI: Remove failing jobs from gate This was missed from I859528f0834d6679bd9d3b7d5248f0196aae5bae [1]. [1] https://review.opendev.org/c/openstack/kayobe/+/958772 Change-Id: I1db713c3cad53ce6d9b8875bcfdfeac597c951ab Signed-off-by: Pierre Riteau --- zuul.d/project.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index e3f64ace2..24d0ea12d 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -36,11 +36,8 @@ - kayobe-overcloud-host-configure-rocky9 - kayobe-overcloud-host-configure-ubuntu-noble - kayobe-overcloud-upgrade-ubuntu-noble - - kayobe-seed-rocky9 - - kayobe-seed-rocky9-podman - kayobe-seed-ubuntu-noble - kayobe-seed-ubuntu-noble-podman - - kayobe-seed-upgrade-rocky9 - kayobe-seed-upgrade-ubuntu-noble - kayobe-seed-vm-rocky9 - kayobe-seed-vm-ubuntu-noble From e26b20955424619708e3d15afc39d2cdcd287739 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 28 Aug 2025 23:15:32 +0200 Subject: [PATCH 054/187] Switch to EFI-compatible CentOS Stream cloud image As explained in a recent centos-devel message [1], which is in the context of CentOS Stream 10 but also applies to 9: Q: What is the difference between the two x86_64 qcow2 images? The original (without the extra x86_64) is our original Bios only image. The one with the extra x86_64 boots using EFI [1] https://lists.centos.org/hyperkitty/list/devel@lists.centos.org/thread/PQSMX2QQCOJRKMNLQSXDOFIKRGJF4QDM/ Closes-Bug: #2121588 Change-Id: Ibd2c68103e73b1ecedd1aade780f96af3d9e9ab3 Signed-off-by: Pierre Riteau --- ansible/inventory/group_vars/all/seed-vm | 4 ++-- releasenotes/notes/bug-2121588-ad6d8b33e3fcaff9.yaml | 6 ++++++ 2 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/bug-2121588-ad6d8b33e3fcaff9.yaml diff --git a/ansible/inventory/group_vars/all/seed-vm b/ansible/inventory/group_vars/all/seed-vm index ddc636117..cc840f46e 100644 --- a/ansible/inventory/group_vars/all/seed-vm +++ b/ansible/inventory/group_vars/all/seed-vm @@ -46,7 +46,7 @@ seed_vm_root_format: qcow2 # https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2 # when os_distribution is "rocky", # or -# "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-9-latest.x86_64.qcow2" +# "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-9-latest.x86_64.qcow2" # otherwise. seed_vm_root_image: >- {%- if os_distribution == 'ubuntu' %} @@ -54,7 +54,7 @@ seed_vm_root_image: >- {%- elif os_distribution == 'rocky' %} https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2 {%- else -%} - https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-9-latest.x86_64.qcow2 + https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-9-latest.x86_64.qcow2 {%- endif %} # Capacity of the seed VM data volume. diff --git a/releasenotes/notes/bug-2121588-ad6d8b33e3fcaff9.yaml b/releasenotes/notes/bug-2121588-ad6d8b33e3fcaff9.yaml new file mode 100644 index 000000000..ac5424b7f --- /dev/null +++ b/releasenotes/notes/bug-2121588-ad6d8b33e3fcaff9.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fixes CentOS Stream 9 seed and infra VMs not booting by switching to an + EFI-compatible image. + `LP#2121588 `__ From 2228dbbcf09d52843b2178e9f3d3b00102e35ff2 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 29 Aug 2025 21:51:48 +0200 Subject: [PATCH 055/187] CI: Rename seed-vm-efi jobs to seed-vm-q35 The default seed VM boot firmware was switched to efi in 2024.2 [1], but CI jobs were not renamed to match. Move q35 jobs to the experimental queue, we don't need to run them on every change. Also add missing kayobe-seed-vm-centos9s-q35 job. [1] https://review.opendev.org/c/openstack/kayobe/+/927015 Change-Id: I5ab71d6c3968b852be17c02f27bbc04a400a7aaf Signed-off-by: Pierre Riteau --- zuul.d/jobs.yaml | 17 ++++++++--------- zuul.d/project.yaml | 5 +++-- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index 530545b39..90d93d4c5 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -387,30 +387,29 @@ kayobe_control_host_become: false - job: - name: kayobe-seed-vm-efi-base + name: kayobe-seed-vm-q35-base parent: kayobe-seed-vm-base description: | - Base job for testing seed VM provisioning with EFI and q35 + Base job for testing seed VM provisioning with q35 vars: - seed_vm_boot_firmware: efi seed_vm_machine: q35 - job: - name: kayobe-seed-vm-centos9s-efi - parent: kayobe-seed-vm-efi-base + name: kayobe-seed-vm-centos9s-q35 + parent: kayobe-seed-vm-q35-base nodeset: kayobe-centos9s voting: false - job: - name: kayobe-seed-vm-rocky9-efi - parent: kayobe-seed-vm-efi-base + name: kayobe-seed-vm-rocky9-q35 + parent: kayobe-seed-vm-q35-base nodeset: kayobe-rocky9 vars: kayobe_control_host_become: false - job: - name: kayobe-seed-vm-ubuntu-noble-efi - parent: kayobe-seed-vm-efi-base + name: kayobe-seed-vm-ubuntu-noble-q35 + parent: kayobe-seed-vm-q35-base nodeset: kayobe-ubuntu-noble - job: diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 24d0ea12d..2da584f04 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -21,9 +21,7 @@ - kayobe-seed-ubuntu-noble-podman - kayobe-seed-upgrade-ubuntu-noble - kayobe-seed-vm-rocky9 - - kayobe-seed-vm-rocky9-efi - kayobe-seed-vm-ubuntu-noble - - kayobe-seed-vm-ubuntu-noble-efi - kayobe-infra-vm-rocky9 - kayobe-infra-vm-ubuntu-noble gate: @@ -60,3 +58,6 @@ - kayobe-seed-rocky9 - kayobe-seed-rocky9-podman - kayobe-seed-upgrade-rocky9 + - kayobe-seed-vm-centos9s-q35 + - kayobe-seed-vm-rocky9-q35 + - kayobe-seed-vm-ubuntu-noble-q35 From f7dbbd5f9a8b73f0938e19a6e88e0e992cb771b9 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Tue, 19 Aug 2025 10:59:37 +0100 Subject: [PATCH 056/187] Adds selinux_update_kernel_param This is useful if the selinux kernel command line option is set in Grub config. Change-Id: I07c38a3c1815198bde164ad7146e1d1dcaac2cd8 Signed-off-by: Will Szumski --- ansible/roles/selinux/defaults/main.yml | 5 +++++ ansible/roles/selinux/tasks/main.yml | 1 + doc/source/configuration/reference/hosts.rst | 3 +++ .../adds-selinux-update-kernel-param-0f162ec4d55566e8.yaml | 5 +++++ 4 files changed, 14 insertions(+) create mode 100644 releasenotes/notes/adds-selinux-update-kernel-param-0f162ec4d55566e8.yaml diff --git a/ansible/roles/selinux/defaults/main.yml b/ansible/roles/selinux/defaults/main.yml index 80481b39f..8966e67f3 100644 --- a/ansible/roles/selinux/defaults/main.yml +++ b/ansible/roles/selinux/defaults/main.yml @@ -11,3 +11,8 @@ selinux_do_reboot: false # Number of seconds to wait for hosts to become accessible via SSH after being # rebooted. selinux_reboot_timeout: + +# Whether or not to update the selinux kernel parameter. Can be useful if you +# have selinux= set on the kernel command line. Default is to use +# the module default. +selinux_update_kernel_param: "{{ omit }}" diff --git a/ansible/roles/selinux/tasks/main.yml b/ansible/roles/selinux/tasks/main.yml index 2e375d5a3..43551d998 100644 --- a/ansible/roles/selinux/tasks/main.yml +++ b/ansible/roles/selinux/tasks/main.yml @@ -16,6 +16,7 @@ selinux: policy: "{{ selinux_policy }}" state: "{{ selinux_state }}" + update_kernel_param: "{{ selinux_update_kernel_param }}" register: selinux_result vars: ansible_python_interpreter: /usr/bin/python3 diff --git a/doc/source/configuration/reference/hosts.rst b/doc/source/configuration/reference/hosts.rst index b8a79132d..6b08e84ab 100644 --- a/doc/source/configuration/reference/hosts.rst +++ b/doc/source/configuration/reference/hosts.rst @@ -560,6 +560,9 @@ the SELinux configuration. The timeout for waiting for systems to reboot is ``selinux_reboot_timeout``. Alternatively, the reboot may be avoided by setting ``selinux_do_reboot`` to ``false``. +The ``selinux_update_kernel_param`` variable can be used to change the selinux +state set on the kernel command line; it takes a boolean value. + Network Configuration ===================== *tags:* diff --git a/releasenotes/notes/adds-selinux-update-kernel-param-0f162ec4d55566e8.yaml b/releasenotes/notes/adds-selinux-update-kernel-param-0f162ec4d55566e8.yaml new file mode 100644 index 000000000..44bea9790 --- /dev/null +++ b/releasenotes/notes/adds-selinux-update-kernel-param-0f162ec4d55566e8.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Adds the ``selinux_update_kernel_param`` variable which controls whether + the selinux kernel command line option is updated. From 8106156e7838b38c5e8c0ed3e847a7e15d1d9fbf Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 22 Aug 2025 20:46:42 +0200 Subject: [PATCH 057/187] Revert "CI: Make rocky9 VM jobs non-voting" This reverts commit b67587ef6fc18aa5b4abba8eae980b740b21f18e. Reason for revert: cirros image should now be available. Change-Id: I743d61f9418a87d41d546e1e0db99aada4fe9726 Signed-off-by: Pierre Riteau --- zuul.d/project.yaml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 43dba5560..3da4d44e3 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -23,14 +23,11 @@ - kayobe-seed-ubuntu-noble-podman - kayobe-seed-upgrade-rocky9 - kayobe-seed-upgrade-ubuntu-noble - - kayobe-seed-vm-rocky9: - voting: false - - kayobe-seed-vm-rocky9-efi: - voting: false + - kayobe-seed-vm-rocky9 + - kayobe-seed-vm-rocky9-efi - kayobe-seed-vm-ubuntu-noble - kayobe-seed-vm-ubuntu-noble-efi - - kayobe-infra-vm-rocky9: - voting: false + - kayobe-infra-vm-rocky9 - kayobe-infra-vm-ubuntu-noble gate: jobs: @@ -48,7 +45,9 @@ - kayobe-seed-ubuntu-noble-podman - kayobe-seed-upgrade-rocky9 - kayobe-seed-upgrade-ubuntu-noble + - kayobe-seed-vm-rocky9 - kayobe-seed-vm-ubuntu-noble + - kayobe-infra-vm-rocky9 - kayobe-infra-vm-ubuntu-noble experimental: From 72884edc1192e188bcfd68d53a6534807c5c1ec9 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Tue, 19 Aug 2025 10:34:17 +0100 Subject: [PATCH 058/187] Fix networking connectivity check with no_ip When no_ip is applied to only a subset of the hosts for a particular network, network connectivity check could fail since we only checked the source IP was properly defined and not the destination IP. This adds a check for the destination IP. Also improves the loop label for ease of debugging. Closes-Bug: #2120918 Change-Id: I107f1b2687852a04eb4a6eb7cc82f4d6690bc177 Signed-off-by: Will Szumski --- ansible/network-connectivity.yml | 13 ++++++++++--- ...y-check-with-partial-no-ip-5efcc8ed6e76267e.yaml | 6 ++++++ 2 files changed, 16 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/fix-networking-connectivity-check-with-partial-no-ip-5efcc8ed6e76267e.yaml diff --git a/ansible/network-connectivity.yml b/ansible/network-connectivity.yml index 3440ae5d5..797d0f096 100644 --- a/ansible/network-connectivity.yml +++ b/ansible/network-connectivity.yml @@ -68,9 +68,12 @@ command: > ping {{ remote_ip }} -c1 -M do {% if mtu %} -s {{ mtu | int - icmp_overhead_bytes }}{% endif %} with_items: "{{ network_interfaces }}" + loop_control: + label: "{{ remote_host }} on {{ item }}" when: - - item | net_ip - remote_hosts | length > 0 + - remote_ip | length > 0 + - item | net_ip changed_when: False vars: # Select other hosts targeted by this play which have this network @@ -83,6 +86,10 @@ rejectattr('inventory_hostname', 'equalto', inventory_hostname) | map(attribute='inventory_hostname') | list }} - remote_host: "{{ remote_hosts | random }}" - remote_ip: "{{ item | net_ip(remote_host) }}" + # NOTE(wszumski): Needed to fix random choice for the run otherwise the + # when check: remote_ip | length > 0, would pass, but remote_ip was '' + # in the command. Assumption was that this was being evaluated once + # for the when clause and then again for the command. Bug? + remote_host: "{{ remote_hosts | random(seed=ansible_facts.date_time.iso8601) }}" + remote_ip: "{{ lookup('cached', 'vars', item ~ '_ips')[remote_host] | default('', true) }}" mtu: "{{ item | net_mtu }}" diff --git a/releasenotes/notes/fix-networking-connectivity-check-with-partial-no-ip-5efcc8ed6e76267e.yaml b/releasenotes/notes/fix-networking-connectivity-check-with-partial-no-ip-5efcc8ed6e76267e.yaml new file mode 100644 index 000000000..44ee8e262 --- /dev/null +++ b/releasenotes/notes/fix-networking-connectivity-check-with-partial-no-ip-5efcc8ed6e76267e.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fixes network connectivity check when a subset of hosts have the ``no_ip`` + property set via group or host variables. + `LP#2120918 `__ From ce2b953c7e4e0b74556a3e2e44bd56798f710b73 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 28 Aug 2025 16:24:59 +0200 Subject: [PATCH 059/187] CI: Move failing jobs to experimental queue The Rocky Linux 9 seed jobs are failing due to the latest keystoneauth release dropping support for Python 3.9 [1], while the openstacksdk virtualenv is still created with the default Python interpreter. This will be resolved by supporting Rocky Linux 10. [1] https://review.opendev.org/c/openstack/keystoneauth/+/949008 Change-Id: I859528f0834d6679bd9d3b7d5248f0196aae5bae Signed-off-by: Pierre Riteau --- zuul.d/project.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 3da4d44e3..e3f64ace2 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -17,11 +17,8 @@ - kayobe-overcloud-host-configure-rocky9 - kayobe-overcloud-host-configure-ubuntu-noble - kayobe-overcloud-upgrade-ubuntu-noble - - kayobe-seed-rocky9 - - kayobe-seed-rocky9-podman - kayobe-seed-ubuntu-noble - kayobe-seed-ubuntu-noble-podman - - kayobe-seed-upgrade-rocky9 - kayobe-seed-upgrade-ubuntu-noble - kayobe-seed-vm-rocky9 - kayobe-seed-vm-rocky9-efi @@ -63,3 +60,6 @@ - kayobe-seed-images-rocky9-podman - kayobe-seed-images-ubuntu-noble - kayobe-seed-images-ubuntu-noble-podman + - kayobe-seed-rocky9 + - kayobe-seed-rocky9-podman + - kayobe-seed-upgrade-rocky9 From f4913e43c2d537fa7100d2221f5ae68a9837cb15 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 29 Aug 2025 16:08:23 +0200 Subject: [PATCH 060/187] CI: Remove failing jobs from gate This was missed from I859528f0834d6679bd9d3b7d5248f0196aae5bae [1]. [1] https://review.opendev.org/c/openstack/kayobe/+/958772 Change-Id: I1db713c3cad53ce6d9b8875bcfdfeac597c951ab Signed-off-by: Pierre Riteau --- zuul.d/project.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index e3f64ace2..24d0ea12d 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -36,11 +36,8 @@ - kayobe-overcloud-host-configure-rocky9 - kayobe-overcloud-host-configure-ubuntu-noble - kayobe-overcloud-upgrade-ubuntu-noble - - kayobe-seed-rocky9 - - kayobe-seed-rocky9-podman - kayobe-seed-ubuntu-noble - kayobe-seed-ubuntu-noble-podman - - kayobe-seed-upgrade-rocky9 - kayobe-seed-upgrade-ubuntu-noble - kayobe-seed-vm-rocky9 - kayobe-seed-vm-ubuntu-noble From ca90f8f7308a06acd414b2e0c189e77aba73852d Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 28 Aug 2025 23:15:32 +0200 Subject: [PATCH 061/187] Switch to EFI-compatible CentOS Stream cloud image As explained in a recent centos-devel message [1], which is in the context of CentOS Stream 10 but also applies to 9: Q: What is the difference between the two x86_64 qcow2 images? The original (without the extra x86_64) is our original Bios only image. The one with the extra x86_64 boots using EFI [1] https://lists.centos.org/hyperkitty/list/devel@lists.centos.org/thread/PQSMX2QQCOJRKMNLQSXDOFIKRGJF4QDM/ Closes-Bug: #2121588 Change-Id: Ibd2c68103e73b1ecedd1aade780f96af3d9e9ab3 Signed-off-by: Pierre Riteau --- ansible/inventory/group_vars/all/seed-vm | 4 ++-- releasenotes/notes/bug-2121588-ad6d8b33e3fcaff9.yaml | 6 ++++++ 2 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/bug-2121588-ad6d8b33e3fcaff9.yaml diff --git a/ansible/inventory/group_vars/all/seed-vm b/ansible/inventory/group_vars/all/seed-vm index ddc636117..cc840f46e 100644 --- a/ansible/inventory/group_vars/all/seed-vm +++ b/ansible/inventory/group_vars/all/seed-vm @@ -46,7 +46,7 @@ seed_vm_root_format: qcow2 # https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2 # when os_distribution is "rocky", # or -# "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-9-latest.x86_64.qcow2" +# "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-9-latest.x86_64.qcow2" # otherwise. seed_vm_root_image: >- {%- if os_distribution == 'ubuntu' %} @@ -54,7 +54,7 @@ seed_vm_root_image: >- {%- elif os_distribution == 'rocky' %} https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2 {%- else -%} - https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-9-latest.x86_64.qcow2 + https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-9-latest.x86_64.qcow2 {%- endif %} # Capacity of the seed VM data volume. diff --git a/releasenotes/notes/bug-2121588-ad6d8b33e3fcaff9.yaml b/releasenotes/notes/bug-2121588-ad6d8b33e3fcaff9.yaml new file mode 100644 index 000000000..ac5424b7f --- /dev/null +++ b/releasenotes/notes/bug-2121588-ad6d8b33e3fcaff9.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fixes CentOS Stream 9 seed and infra VMs not booting by switching to an + EFI-compatible image. + `LP#2121588 `__ From f951d7e2749e15b2a8cdc3e88aff8dbf358a8146 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Tue, 2 Sep 2025 10:04:43 +0200 Subject: [PATCH 062/187] CI: Test seed VM with distribution cloud images Seed VM deployment testing was limited to the use of cirros images. Introduce jobs using distribution cloud images (e.g. GenericCloud) to test more realistic seed VM deployment scenarios. These jobs are in the experimental queue to avoid downloading large images on every change. Note that the Ubuntu Noble job is failing: the VM boots but is not able to get an IP address. Change-Id: I834259e7eeb6443cb0689997909d093e85decee6 Signed-off-by: Pierre Riteau --- .../kayobe-seed-vm-base/overrides.yml.j2 | 4 +++- zuul.d/jobs.yaml | 23 +++++++++++++++++++ zuul.d/project.yaml | 3 +++ 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/playbooks/kayobe-seed-vm-base/overrides.yml.j2 b/playbooks/kayobe-seed-vm-base/overrides.yml.j2 index bf98d7a89..db84c7376 100644 --- a/playbooks/kayobe-seed-vm-base/overrides.yml.j2 +++ b/playbooks/kayobe-seed-vm-base/overrides.yml.j2 @@ -34,9 +34,11 @@ seed_vm_vcpus: 1 # Reduce the memory footprint of the seed VM. seed_vm_memory_mb: "{{ 1 * 1024 }}" -# Use cirros rather than CentOS for the VM. +{% if seed_vm_use_cirros | default(true) %} +# Use cirros rather than distribution cloud image for the VM. seed_bootstrap_user: cirros seed_vm_root_image: /opt/cache/files/cirros-0.5.3-x86_64-disk.img +{% endif %} {% if seed_vm_boot_firmware is defined %} seed_vm_boot_firmware: "{{ seed_vm_boot_firmware }}" diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index 90d93d4c5..db4a88504 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -386,6 +386,29 @@ vars: kayobe_control_host_become: false +- job: + name: kayobe-seed-vm-centos9s-cloud-image + parent: kayobe-seed-vm-base + nodeset: kayobe-centos9s + voting: false + vars: + seed_vm_use_cirros: false + +- job: + name: kayobe-seed-vm-rocky9-cloud-image + parent: kayobe-seed-vm-base + nodeset: kayobe-rocky9 + vars: + seed_vm_use_cirros: false + +- job: + name: kayobe-seed-vm-ubuntu-noble-cloud-image + parent: kayobe-seed-vm-base + nodeset: kayobe-ubuntu-noble + voting: false + vars: + seed_vm_use_cirros: false + - job: name: kayobe-seed-vm-q35-base parent: kayobe-seed-vm-base diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 2da584f04..803521e31 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -58,6 +58,9 @@ - kayobe-seed-rocky9 - kayobe-seed-rocky9-podman - kayobe-seed-upgrade-rocky9 + - kayobe-seed-vm-centos9s-cloud-image - kayobe-seed-vm-centos9s-q35 + - kayobe-seed-vm-rocky9-cloud-image - kayobe-seed-vm-rocky9-q35 + - kayobe-seed-vm-ubuntu-noble-cloud-image - kayobe-seed-vm-ubuntu-noble-q35 From 56a33de329c614e8614c1eea5253c00ad4130075 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 3 Sep 2025 11:00:57 +0200 Subject: [PATCH 063/187] Remove rule for legacy deployment kernel update This rule was introduced in the 2023.2 release and backported to previous releases (Yoga being the oldest) [1]. It is also relevant only for deployments that were created on the Train release or earlier. Assume that the migration was performed and remove the rule definition. [1] https://review.opendev.org/c/openstack/kayobe/+/808111 Change-Id: Ib180dd96242fd153b326076ca732b4d58f511a44 Signed-off-by: Pierre Riteau --- ansible/inventory/group_vars/all/bifrost | 5 +---- ansible/inventory/group_vars/all/inspector | 12 ------------ ansible/seed-introspection-rules.yml | 1 - etc/kayobe/bifrost.yml | 3 --- ...r-rule-legacy-deploy-kernel-1a4f1f5db58766ee.yaml | 12 ++++++++++++ 5 files changed, 13 insertions(+), 20 deletions(-) create mode 100644 releasenotes/notes/remove-inspector-rule-legacy-deploy-kernel-1a4f1f5db58766ee.yaml diff --git a/ansible/inventory/group_vars/all/bifrost b/ansible/inventory/group_vars/all/bifrost index d9bfe0013..18eb4bb91 100644 --- a/ansible/inventory/group_vars/all/bifrost +++ b/ansible/inventory/group_vars/all/bifrost @@ -103,7 +103,7 @@ kolla_bifrost_inspector_port_addition: "{{ inspector_add_ports }}" kolla_bifrost_inspector_extra_kernel_options: "{{ inspector_extra_kernel_options }}" # List of introspection rules for Bifrost's Ironic Inspector service. -kolla_bifrost_inspector_rules: "{{ inspector_rules + [inspector_rule_legacy_deploy_kernel] }}" +kolla_bifrost_inspector_rules: "{{ inspector_rules }}" # Ironic inspector IPMI username to set. kolla_bifrost_inspector_ipmi_username: "{{ ipmi_username }}" @@ -127,9 +127,6 @@ kolla_bifrost_inspector_deploy_kernel: "http://{{ provision_oc_net_name | net_ip # Ironic inspector deployment ramdisk location. kolla_bifrost_inspector_deploy_ramdisk: "http://{{ provision_oc_net_name | net_ip }}:8080/ipa.initramfs" -# Ironic inspector legacy deployment kernel location. -kolla_bifrost_inspector_legacy_deploy_kernel: "http://{{ provision_oc_net_name | net_ip }}:8080/ipa.vmlinuz" - # Timeout of hardware inspection on overcloud nodes, in seconds. Default is # {{ inspector_inspection_timeout }}. kolla_bifrost_inspection_timeout: "{{ inspector_inspection_timeout }}" diff --git a/ansible/inventory/group_vars/all/inspector b/ansible/inventory/group_vars/all/inspector index 5b0272e70..bdf3df568 100644 --- a/ansible/inventory/group_vars/all/inspector +++ b/ansible/inventory/group_vars/all/inspector @@ -140,18 +140,6 @@ inspector_rule_deploy_kernel: path: "driver_info/deploy_kernel" value: "{{ inspector_rule_var_deploy_kernel }}" -# Ironic inspector rule to update deployment kernel from legacy location. -inspector_rule_legacy_deploy_kernel: - description: "Update deploy kernel from legacy" - conditions: - - field: "node://driver_info.deploy_kernel" - op: "eq" - value: "{{ inspector_rule_var_legacy_deploy_kernel }}" - actions: - - action: "set-attribute" - path: "driver_info/deploy_kernel" - value: "{{ inspector_rule_var_deploy_kernel }}" - # Deployment ramdisk referenced by inspector rule. inspector_rule_var_deploy_ramdisk: diff --git a/ansible/seed-introspection-rules.yml b/ansible/seed-introspection-rules.yml index 577cb6861..edcb031bf 100644 --- a/ansible/seed-introspection-rules.yml +++ b/ansible/seed-introspection-rules.yml @@ -19,5 +19,4 @@ inspector_rule_var_lldp_switch_port_interface: "{{ kolla_bifrost_inspector_lldp_switch_port_interface }}" inspector_rule_var_deploy_kernel: "{{ kolla_bifrost_inspector_deploy_kernel }}" inspector_rule_var_deploy_ramdisk: "{{ kolla_bifrost_inspector_deploy_ramdisk }}" - inspector_rule_var_legacy_deploy_kernel: "{{ kolla_bifrost_inspector_legacy_deploy_kernel }}" when: kolla_enable_bifrost | bool diff --git a/etc/kayobe/bifrost.yml b/etc/kayobe/bifrost.yml index d9c2e1e9a..cf75637e7 100644 --- a/etc/kayobe/bifrost.yml +++ b/etc/kayobe/bifrost.yml @@ -127,9 +127,6 @@ # Ironic inspector deployment ramdisk location. #kolla_bifrost_inspector_deploy_ramdisk: -# Ironic inspector legacy deployment kernel location. -#kolla_bifrost_inspector_legacy_deploy_kernel: - # Timeout of hardware inspection on overcloud nodes, in seconds. Default is # {{ inspector_inspection_timeout }}. #kolla_bifrost_inspection_timeout: diff --git a/releasenotes/notes/remove-inspector-rule-legacy-deploy-kernel-1a4f1f5db58766ee.yaml b/releasenotes/notes/remove-inspector-rule-legacy-deploy-kernel-1a4f1f5db58766ee.yaml new file mode 100644 index 000000000..ff4850587 --- /dev/null +++ b/releasenotes/notes/remove-inspector-rule-legacy-deploy-kernel-1a4f1f5db58766ee.yaml @@ -0,0 +1,12 @@ +--- +upgrade: + - | + Removes the Bifrost introspection rule that was updating the deploy kernel + location from the legacy ``ipa.vmlinuz`` path to the new ``ipa.kernel`` + path. If this migration has not yet been applied, update the deployment + kernel location manually with: + + ``OS_CLOUD=bifrost baremetal node set --driver-info deploy_kernel= $NODE_UUID_OR_NAME`` + + This is only relevant for deployments with nodes discovered with the + OpenStack Train release or earlier. From 8e977fa25acdcdd6b8ac25de505288f37c10453e Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 3 Sep 2025 19:21:54 +0200 Subject: [PATCH 064/187] Switch infra VMs to EFI-compatible CentOS image This was only applied to the seed VM in a previous change [1]. [1] https://review.opendev.org/c/openstack/kayobe/+/958641 Change-Id: I0698babb1eaa21b33385d96c5beee3c022d45424 Signed-off-by: Pierre Riteau --- ansible/inventory/group_vars/all/infra-vms | 4 ++-- etc/kayobe/infra-vms.yml | 2 +- etc/kayobe/seed-vm.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ansible/inventory/group_vars/all/infra-vms b/ansible/inventory/group_vars/all/infra-vms index f5fe780ba..65f5b9bce 100644 --- a/ansible/inventory/group_vars/all/infra-vms +++ b/ansible/inventory/group_vars/all/infra-vms @@ -46,7 +46,7 @@ infra_vm_root_format: qcow2 # https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2 # when os_distribution is "rocky", # or -# "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-9-latest.x86_64.qcow2" +# "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-9-latest.x86_64.qcow2" # otherwise. infra_vm_root_image: >- {%- if os_distribution == 'ubuntu' %} @@ -54,7 +54,7 @@ infra_vm_root_image: >- {%- elif os_distribution == 'rocky' %} https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2 {%- else -%} - https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-9-latest.x86_64.qcow2 + https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-9-latest.x86_64.qcow2 {%- endif %} # Capacity of the infra VM data volume. diff --git a/etc/kayobe/infra-vms.yml b/etc/kayobe/infra-vms.yml index 364506595..994f82d96 100644 --- a/etc/kayobe/infra-vms.yml +++ b/etc/kayobe/infra-vms.yml @@ -35,7 +35,7 @@ # https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2 # when os_distribution is "rocky", # or -# "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-9-latest.x86_64.qcow2" +# "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-9-latest.x86_64.qcow2" # otherwise. #infra_vm_root_image: diff --git a/etc/kayobe/seed-vm.yml b/etc/kayobe/seed-vm.yml index 3c8352a78..e7d0ac0a9 100644 --- a/etc/kayobe/seed-vm.yml +++ b/etc/kayobe/seed-vm.yml @@ -35,7 +35,7 @@ # https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2 # when os_distribution is "rocky", # or -# "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-9-latest.x86_64.qcow2" +# "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-9-latest.x86_64.qcow2" # otherwise. #seed_vm_root_image: From 43236f19c1f782e38c7a4b9ef4944b6e07128296 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 4 Sep 2025 09:39:07 +0200 Subject: [PATCH 065/187] CI: Add jobs for infra VM testing with cloud image Change-Id: I224a187372ff948634c5a039e284c4455ee24af2 Signed-off-by: Pierre Riteau --- .../kayobe-infra-vm-base/overrides.yml.j2 | 4 +++- zuul.d/jobs.yaml | 23 +++++++++++++++++++ zuul.d/project.yaml | 3 +++ 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/playbooks/kayobe-infra-vm-base/overrides.yml.j2 b/playbooks/kayobe-infra-vm-base/overrides.yml.j2 index 0c3865b48..7fc4b3e08 100644 --- a/playbooks/kayobe-infra-vm-base/overrides.yml.j2 +++ b/playbooks/kayobe-infra-vm-base/overrides.yml.j2 @@ -31,9 +31,11 @@ infra_vm_vcpus: 1 # Reduce the memory footprint of the infra VM. infra_vm_memory_mb: "{{ 1 * 1024 }}" -# Use cirros rather than CentOS for the VM. +{% if infra_vm_use_cirros | default(true) %} +# Use cirros rather than distribution cloud image for the VM. infra_vm_bootstrap_user: cirros infra_vm_root_image: /opt/cache/files/cirros-0.5.3-x86_64-disk.img +{% endif %} # Cirros doesn't load cdom drivers by default. vm_configdrive_device: disk diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index db4a88504..dc34d160a 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -464,3 +464,26 @@ name: kayobe-infra-vm-ubuntu-noble parent: kayobe-infra-vm-base nodeset: kayobe-ubuntu-noble + +- job: + name: kayobe-infra-vm-centos9s-cloud-image + parent: kayobe-infra-vm-base + nodeset: kayobe-centos9s + voting: false + vars: + infra_vm_use_cirros: false + +- job: + name: kayobe-infra-vm-rocky9-cloud-image + parent: kayobe-infra-vm-base + nodeset: kayobe-rocky9 + vars: + infra_vm_use_cirros: false + +- job: + name: kayobe-infra-vm-ubuntu-noble-cloud-image + parent: kayobe-infra-vm-base + nodeset: kayobe-ubuntu-noble + voting: false + vars: + infra_vm_use_cirros: false diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 803521e31..0b672db6f 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -44,6 +44,9 @@ experimental: jobs: + - kayobe-infra-vm-centos9s-cloud-image + - kayobe-infra-vm-rocky9-cloud-image + - kayobe-infra-vm-ubuntu-noble-cloud-image - kayobe-overcloud-centos9s - kayobe-overcloud-host-configure-centos9s - kayobe-overcloud-rocky9 From 3912eeea940510301666226a2e4c376c8d96f7d6 Mon Sep 17 00:00:00 2001 From: Doug Szumski Date: Fri, 5 Sep 2025 16:31:55 +0100 Subject: [PATCH 066/187] Fix kolla_docker_namespace comment The default was updated in I5d49279fa9a2a263d84c6f468c00d4c8538c538c but not the comment. TrivialFix Change-Id: I02909f2df9ab6f3c526785f2770fcd7a52063683 Signed-off-by: Doug Szumski --- etc/kayobe/kolla.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/kayobe/kolla.yml b/etc/kayobe/kolla.yml index 30ca8cca3..9859a9e6b 100644 --- a/etc/kayobe/kolla.yml +++ b/etc/kayobe/kolla.yml @@ -86,7 +86,7 @@ # case Quay.io will be used. #kolla_docker_registry: -# Docker namespace to use for Kolla images. Default is 'kolla'. +# Docker namespace to use for Kolla images. Default is 'openstack.kolla'. #kolla_docker_namespace: # Username to use to access a docker registry. Default is not set, in which From 0e06198458b0ac3adfad385fc8499408582018b8 Mon Sep 17 00:00:00 2001 From: Doug Szumski Date: Fri, 5 Sep 2025 16:35:50 +0100 Subject: [PATCH 067/187] Fix network check for Bifrost If you disable Bifrost, then don't warn about configuring a network for it. TrivialFix Change-Id: I2fa2d98ac4a4372d009c93963475ca224fde13ba Signed-off-by: Doug Szumski --- ansible/kolla-ansible.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/kolla-ansible.yml b/ansible/kolla-ansible.yml index d1d67d7a7..55b79c530 100644 --- a/ansible/kolla-ansible.yml +++ b/ansible/kolla-ansible.yml @@ -120,13 +120,13 @@ - var_name: "kolla_bifrost_network_interface" description: "Bifrost provisioning network" network: "{{ provision_oc_net_name }}" - required: True + required: "{{ kolla_enable_bifrost | bool }}" # Strictly api_interface is not required but kolla-ansible currently # references it in prechecks. - var_name: "kolla_api_interface" description: "Bifrost provisioning network" network: "{{ provision_oc_net_name }}" - required: True + required: "{{ kolla_enable_bifrost | bool }}" - import_role: name: kolla-ansible-host-vars From 2cbb10141f65acc1c34a4575c15c9e2645532599 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Tue, 9 Sep 2025 09:47:13 +0200 Subject: [PATCH 068/187] CI: Remove configuration of ironic interfaces This was only required for compatibility between older releases in upgrade jobs. Change-Id: I1d74f1b23288092ba7405c585d537e4ea3f61e8d Signed-off-by: Pierre Riteau --- .../kayobe-overcloud-upgrade-base/overrides.yml.j2 | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/playbooks/kayobe-overcloud-upgrade-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-upgrade-base/overrides.yml.j2 index 4ac75a54c..1170a5ed9 100644 --- a/playbooks/kayobe-overcloud-upgrade-base/overrides.yml.j2 +++ b/playbooks/kayobe-overcloud-upgrade-base/overrides.yml.j2 @@ -41,17 +41,5 @@ compute_libvirt_sasl_password: "{% raw %}{{ lookup('password', '/tmp/libvirt-sas # Enable ironic for testing baremetal compute. kolla_enable_ironic: true -# TODO(mgoddard): Remove condition and contents when previous release is Epoxy. -# In Dalmatian we switched to the upstream ironic defaults for hardware -# interfaces, which does not enable the following interfaces. -{% if not is_previous_release | default(false) %} -kolla_ironic_enabled_console_interfaces: - - ipmitool-socat - - no-console -kolla_ironic_enabled_inspect_interfaces: - - inspector - - no-inspect -{% endif %} - # Disable heat to save disk space. kolla_enable_heat: false From 59eb49f88efd6b83f7431363d31676188e49390a Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Tue, 9 Sep 2025 09:39:04 +0200 Subject: [PATCH 069/187] Remove ironic-inspector support The ironic-inspector service has been replaced by built-in in-band inspection in ironic [1]. This change disables and removes enough code to allow CI tests to pass. Migration to the built-in in-band inspection will be done separately. [1] https://docs.openstack.org/ironic/latest/admin/inspection/migration.html Change-Id: I8caa8ea763fe5aee9d356850378db770cdbf2ccd Signed-off-by: Pierre Riteau --- ansible/inventory/group_vars/all/kolla | 1 - ansible/overcloud-introspection-rules.yml | 24 ++----------------- .../templates/overcloud-services.j2 | 7 +----- .../roles/kolla-ansible/tests/test-extras.yml | 1 - ansible/roles/kolla-ansible/vars/main.yml | 1 - .../roles/kolla-openstack/defaults/main.yml | 7 ------ .../molecule/enable-everything/molecule.yml | 3 --- .../molecule/enable-everything/prepare.yml | 1 - .../enable-everything/tests/test_default.py | 2 -- ansible/seed-introspection-rules.yml | 2 +- .../configuration/reference/kolla-ansible.rst | 2 -- etc/kayobe/kolla.yml | 1 - playbooks/kayobe-overcloud-base/run.yml | 1 + .../kayobe-overcloud-upgrade-base/run.yml | 1 + ...rop-ironic-inspector-ce12abb330f5398b.yaml | 4 ++++ 15 files changed, 10 insertions(+), 48 deletions(-) create mode 100644 releasenotes/notes/drop-ironic-inspector-ce12abb330f5398b.yaml diff --git a/ansible/inventory/group_vars/all/kolla b/ansible/inventory/group_vars/all/kolla index 9b63291b7..f20c0e5fd 100644 --- a/ansible/inventory/group_vars/all/kolla +++ b/ansible/inventory/group_vars/all/kolla @@ -548,7 +548,6 @@ kolla_enable_heat: "{{ kolla_enable_openstack_core | bool }}" kolla_enable_horizon: "{{ kolla_enable_openstack_core | bool }}" kolla_enable_influxdb: "{{ kolla_enable_cloudkitty | bool }}" kolla_enable_ironic: "no" -kolla_enable_ironic_inspector: "{{ kolla_enable_ironic | bool }}" kolla_enable_ironic_neutron_agent: "{{ kolla_enable_neutron | bool and kolla_enable_ironic | bool }}" kolla_enable_iscsid: "{{ kolla_enable_cinder | bool and kolla_enable_cinder_backend_iscsi | bool }}" kolla_enable_kuryr: "no" diff --git a/ansible/overcloud-introspection-rules.yml b/ansible/overcloud-introspection-rules.yml index 6f460968f..0782800d2 100644 --- a/ansible/overcloud-introspection-rules.yml +++ b/ansible/overcloud-introspection-rules.yml @@ -5,9 +5,9 @@ tags: - introspection-rules tasks: - - name: Create controllers group with ironic inspector enabled + - name: Create controllers group with ironic enabled group_by: - key: "controllers_for_introspection_rules_{{ kolla_enable_ironic_inspector | bool }}" + key: "controllers_for_introspection_rules_{{ kolla_enable_ironic | bool }}" changed_when: false - name: Ensure introspection rules are registered in Ironic Inspector @@ -55,23 +55,3 @@ changed_when: False register: ipa_ramdisk_id environment: "{{ openstack_auth_env }}" - - roles: - - role: ironic-inspector-rules - os_openstacksdk_install_epel: "{{ dnf_install_epel }}" - os_openstacksdk_state: "latest" - ironic_inspector_venv: "{{ venv }}" - ironic_inspector_upper_constraints_file: "{{ openstacksdk_upper_constraints_file }}" - ironic_inspector_auth_type: "{{ openstack_auth_type }}" - ironic_inspector_auth: "{{ openstack_auth }}" - ironic_inspector_cacert: "{{ openstack_cacert }}" - ironic_inspector_interface: "{{ openstack_interface }}" - ironic_inspector_rules: "{{ inspector_rules }}" - # These variables may be referenced in the introspection rules. - inspector_rule_var_ipmi_username: "{{ inspector_ipmi_username }}" - inspector_rule_var_ipmi_password: "{{ inspector_ipmi_password }}" - inspector_rule_var_redfish_username: "{{ inspector_redfish_username }}" - inspector_rule_var_redfish_password: "{{ inspector_redfish_password }}" - inspector_rule_var_lldp_switch_port_interface: "{{ inspector_lldp_switch_port_interface_default }}" - inspector_rule_var_deploy_kernel: "{{ ipa_kernel_id.stdout }}" - inspector_rule_var_deploy_ramdisk: "{{ ipa_ramdisk_id.stdout }}" diff --git a/ansible/roles/kolla-ansible/templates/overcloud-services.j2 b/ansible/roles/kolla-ansible/templates/overcloud-services.j2 index 7fedcb915..b87737dbb 100644 --- a/ansible/roles/kolla-ansible/templates/overcloud-services.j2 +++ b/ansible/roles/kolla-ansible/templates/overcloud-services.j2 @@ -198,13 +198,8 @@ ironic [ironic-conductor:children] ironic -{% if kolla_ironic_inspector_host %} -[ironic-inspector] -{{ kolla_ironic_inspector_host }} -{% else %} -[ironic-inspector:children] +[ironic-dnsmasq:children] ironic -{% endif %} [ironic-tftp:children] ironic diff --git a/ansible/roles/kolla-ansible/tests/test-extras.yml b/ansible/roles/kolla-ansible/tests/test-extras.yml index bef29ad3b..607d7945e 100644 --- a/ansible/roles/kolla-ansible/tests/test-extras.yml +++ b/ansible/roles/kolla-ansible/tests/test-extras.yml @@ -165,7 +165,6 @@ kolla_enable_horizon: True kolla_enable_influxdb: True kolla_enable_ironic: True - kolla_enable_ironic_inspector: True kolla_enable_ironic_neutron_agent: True kolla_enable_kuryr: True kolla_enable_magnum: True diff --git a/ansible/roles/kolla-ansible/vars/main.yml b/ansible/roles/kolla-ansible/vars/main.yml index 389a6be03..288fef215 100644 --- a/ansible/roles/kolla-ansible/vars/main.yml +++ b/ansible/roles/kolla-ansible/vars/main.yml @@ -142,7 +142,6 @@ kolla_feature_flags: - influxdb - ironic - ironic_dnsmasq - - ironic_inspector - ironic_neutron_agent - ironic_prometheus_exporter - iscsid diff --git a/ansible/roles/kolla-openstack/defaults/main.yml b/ansible/roles/kolla-openstack/defaults/main.yml index f74c995cd..0d9f2b697 100644 --- a/ansible/roles/kolla-openstack/defaults/main.yml +++ b/ansible/roles/kolla-openstack/defaults/main.yml @@ -92,10 +92,6 @@ kolla_openstack_custom_config_include_globs_default: glob: horizon/** - enabled: '{{ kolla_enable_influxdb | bool }}' glob: influx* - - enabled: '{{ kolla_enable_ironic_inspector | bool }}' - glob: ironic-inspector.conf - - enabled: '{{ kolla_enable_ironic_inspector | bool }}' - glob: ironic-inspector/** - enabled: '{{ kolla_enable_ironic | bool }}' glob: ironic.conf - enabled: '{{ kolla_enable_ironic | bool }}' @@ -564,9 +560,6 @@ kolla_extra_ironic: ############################################################################### # Ironic inspector configuration. -# Whether to enable Ironic inspector. -kolla_enable_ironic_inspector: "{{ kolla_enable_ironic | bool }}" - # Comma-separated list of inspector processing plugins. kolla_inspector_processing_hooks: diff --git a/ansible/roles/kolla-openstack/molecule/enable-everything/molecule.yml b/ansible/roles/kolla-openstack/molecule/enable-everything/molecule.yml index 345cc4eef..9fcabb6b2 100644 --- a/ansible/roles/kolla-openstack/molecule/enable-everything/molecule.yml +++ b/ansible/roles/kolla-openstack/molecule/enable-everything/molecule.yml @@ -80,9 +80,6 @@ provisioner: kolla_extra_ironic: | [extra-ironic.conf] foo=bar - kolla_extra_inspector: | - [extra-ironic-inspector.conf] - foo=bar kolla_inspector_ipa_kernel_path: ${MOLECULE_TEMP_PATH:-/tmp/molecule}/ironic-agent.kernel kolla_inspector_ipa_ramdisk_path: ${MOLECULE_TEMP_PATH:-/tmp/molecule}/ironic-agent.initramfs kolla_enable_keepalived: true diff --git a/ansible/roles/kolla-openstack/molecule/enable-everything/prepare.yml b/ansible/roles/kolla-openstack/molecule/enable-everything/prepare.yml index 3c491fa1e..a39c596c9 100644 --- a/ansible/roles/kolla-openstack/molecule/enable-everything/prepare.yml +++ b/ansible/roles/kolla-openstack/molecule/enable-everything/prepare.yml @@ -63,7 +63,6 @@ - grafana.ini - heat.conf - ironic.conf - - ironic-inspector.conf - keystone.conf - magnum.conf - manila.conf diff --git a/ansible/roles/kolla-openstack/molecule/enable-everything/tests/test_default.py b/ansible/roles/kolla-openstack/molecule/enable-everything/tests/test_default.py index 4e9a40a22..72d74d0b0 100644 --- a/ansible/roles/kolla-openstack/molecule/enable-everything/tests/test_default.py +++ b/ansible/roles/kolla-openstack/molecule/enable-everything/tests/test_default.py @@ -37,7 +37,6 @@ 'grafana.ini', 'heat.conf', 'ironic.conf', - 'ironic-inspector.conf', 'keystone.conf', 'magnum.conf', 'manila.conf', @@ -70,7 +69,6 @@ def test_service_ini_file(host, path): 'grafana.ini', 'heat.conf', 'ironic.conf', - 'ironic-inspector.conf', 'keystone.conf', 'magnum.conf', 'manila.conf', diff --git a/ansible/seed-introspection-rules.yml b/ansible/seed-introspection-rules.yml index edcb031bf..ca92bdd13 100644 --- a/ansible/seed-introspection-rules.yml +++ b/ansible/seed-introspection-rules.yml @@ -19,4 +19,4 @@ inspector_rule_var_lldp_switch_port_interface: "{{ kolla_bifrost_inspector_lldp_switch_port_interface }}" inspector_rule_var_deploy_kernel: "{{ kolla_bifrost_inspector_deploy_kernel }}" inspector_rule_var_deploy_ramdisk: "{{ kolla_bifrost_inspector_deploy_ramdisk }}" - when: kolla_enable_bifrost | bool + when: kolla_enable_bifrost | bool and false # TODO(priteau): Re-enable with built-in inspection diff --git a/doc/source/configuration/reference/kolla-ansible.rst b/doc/source/configuration/reference/kolla-ansible.rst index be35761a3..5fc6e7e45 100644 --- a/doc/source/configuration/reference/kolla-ansible.rst +++ b/doc/source/configuration/reference/kolla-ansible.rst @@ -721,8 +721,6 @@ which files are supported. ``heat/*`` Extended heat configuration. ``horizon/*`` Extended horizon configuration. ``influx*`` InfluxDB configuration. - ``ironic-inspector.conf`` Ironic inspector configuration. - ``ironic-inspector/*`` Extended Ironic inspector configuration ``ironic.conf`` Ironic configuration. ``ironic/*`` Extended ironic configuration. ``keepalived/*`` Extended keepalived configuration. diff --git a/etc/kayobe/kolla.yml b/etc/kayobe/kolla.yml index 9859a9e6b..b0ddc74bd 100644 --- a/etc/kayobe/kolla.yml +++ b/etc/kayobe/kolla.yml @@ -350,7 +350,6 @@ #kolla_enable_influxdb: #kolla_enable_ironic: #kolla_enable_ironic_dnsmasq: -#kolla_enable_ironic_inspector: #kolla_enable_ironic_neutron_agent: #kolla_enable_ironic_prometheus_exporter: #kolla_enable_iscsid: diff --git a/playbooks/kayobe-overcloud-base/run.yml b/playbooks/kayobe-overcloud-base/run.yml index 76ecd8af6..cdc3828e2 100644 --- a/playbooks/kayobe-overcloud-base/run.yml +++ b/playbooks/kayobe-overcloud-base/run.yml @@ -41,6 +41,7 @@ cmd: dev/overcloud-test-baremetal.sh &> {{ logs_dir }}/ansible/overcloud-test-baremetal chdir: "{{ kayobe_src_dir }}" executable: /bin/bash + when: false # TODO(priteau): Re-enable with built-in inspection - name: Register dummy baremetal compute nodes shell: diff --git a/playbooks/kayobe-overcloud-upgrade-base/run.yml b/playbooks/kayobe-overcloud-upgrade-base/run.yml index 820536979..03d5e3e72 100644 --- a/playbooks/kayobe-overcloud-upgrade-base/run.yml +++ b/playbooks/kayobe-overcloud-upgrade-base/run.yml @@ -109,6 +109,7 @@ cmd: dev/overcloud-test-baremetal.sh &> {{ logs_dir }}/ansible/overcloud-test-bm-post-upgrade chdir: "{{ kayobe_src_dir }}" executable: /bin/bash + when: false # TODO(priteau): Re-enable with built-in inspection environment: KAYOBE_CONFIG_SOURCE_PATH: "{{ kayobe_config_src_dir }}" diff --git a/releasenotes/notes/drop-ironic-inspector-ce12abb330f5398b.yaml b/releasenotes/notes/drop-ironic-inspector-ce12abb330f5398b.yaml new file mode 100644 index 000000000..bea9b3d7f --- /dev/null +++ b/releasenotes/notes/drop-ironic-inspector-ce12abb330f5398b.yaml @@ -0,0 +1,4 @@ +--- +upgrade: + - | + Support for deploying ironic-inspector has been dropped. From 183ccc5d29e0a80d9ea7fb3869536cfd0d50a2a3 Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Wed, 10 Sep 2025 07:46:39 +0200 Subject: [PATCH 070/187] CI: Switch queue to kolla It will allow to gate with Kolla/Kolla-Ansible patches. See [1] [1]: https://zuul-ci.org/docs/zuul/latest/config/pipeline.html#value-pipeline.manager.dependent Change-Id: Ie6e93052c5be0a7d8c4adb2c0ee2b8f2eff5d59e Signed-off-by: Michal Nasiadka --- zuul.d/project.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 0b672db6f..3ac8dc589 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -1,6 +1,6 @@ --- - project: - queue: kayobe + queue: kolla templates: - ansible-role-jobs - openstack-cover-jobs From c136c23daee93960b6d09053b04b8e45f59d83e4 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 10 Sep 2025 19:05:58 +0200 Subject: [PATCH 071/187] Bump MichaelRigart.interfaces to v1.15.6 This adds support for CentOS Stream 10 and Rocky Linux 10. Change-Id: Ie20f74a43bab9074b7207e4d70d1da56adb13e1a Signed-off-by: Pierre Riteau --- ...ump-michaelrigart.interfaces-1.15.6-c5a85320e5b3f4e3.yaml | 5 +++++ requirements.yml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/bump-michaelrigart.interfaces-1.15.6-c5a85320e5b3f4e3.yaml diff --git a/releasenotes/notes/bump-michaelrigart.interfaces-1.15.6-c5a85320e5b3f4e3.yaml b/releasenotes/notes/bump-michaelrigart.interfaces-1.15.6-c5a85320e5b3f4e3.yaml new file mode 100644 index 000000000..7d2259c15 --- /dev/null +++ b/releasenotes/notes/bump-michaelrigart.interfaces-1.15.6-c5a85320e5b3f4e3.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Bumps the MichaelRigart.interfaces role to v1.15.6 to fix compatibility + with CentOS Stream 10 and Rocky Linux 10. diff --git a/requirements.yml b/requirements.yml index d51d5eeb8..e3d4f1de9 100644 --- a/requirements.yml +++ b/requirements.yml @@ -27,7 +27,7 @@ roles: # There are no versioned releases of this role. version: 313c9b0ff8cd8009471380ccd71b27b440ac6704 - src: MichaelRigart.interfaces - version: v1.15.5 + version: v1.15.6 - src: mrlesmithjr.chrony version: v0.1.6 - src: mrlesmithjr.manage_lvm From 44163326edf0ed33e801e9fd9644f38258225b1e Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 17 Sep 2025 23:05:48 +0200 Subject: [PATCH 072/187] Fix disabling NetworkManager DNS management on Rocky Linux 10 Change-Id: I9e968eb26747d690f1dd0cf138497311e9360cff Signed-off-by: Pierre Riteau --- ansible/roles/network-redhat/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/network-redhat/tasks/main.yml b/ansible/roles/network-redhat/tasks/main.yml index c73e31152..c8f07780e 100644 --- a/ansible/roles/network-redhat/tasks/main.yml +++ b/ansible/roles/network-redhat/tasks/main.yml @@ -18,7 +18,7 @@ - option: rc-manager value: unmanaged when: - - ansible_facts.os_family == "RedHat" and ansible_facts.distribution_major_version == "9" + - ansible_facts.os_family == "RedHat" and ansible_facts.distribution_major_version | int >= 9 register: dns_config_task - name: Reload NetworkManager with DNS config From d6273899b4c7c6660ef16199a1acbe2e4a85201c Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 19 Sep 2025 14:34:02 +0200 Subject: [PATCH 073/187] Change default centos bootstrap user to cloud-user This matches the default user in CentOS GenericCloud images. Change-Id: I3a4279178a39a4ad9f834832f3616acaff092212 Signed-off-by: Pierre Riteau --- ansible/inventory/group_vars/all/compute | 7 ++++--- ansible/inventory/group_vars/all/controllers | 5 +++-- ansible/inventory/group_vars/all/infra-vms | 5 +++-- ansible/inventory/group_vars/all/monitoring | 3 ++- ansible/inventory/group_vars/all/seed | 5 +++-- ansible/inventory/group_vars/all/seed-hypervisor | 5 +++-- ansible/inventory/group_vars/all/storage | 7 ++++--- doc/source/configuration/reference/hosts.rst | 5 +++-- .../configuration/scenarios/all-in-one/index.rst | 2 +- .../configuration/scenarios/all-in-one/overcloud.rst | 10 +++++----- doc/source/contributor/automated.rst | 4 ++-- etc/kayobe/compute.yml | 5 +++-- etc/kayobe/controllers.yml | 3 ++- etc/kayobe/infra-vms.yml | 3 ++- etc/kayobe/monitoring.yml | 3 ++- etc/kayobe/seed-hypervisor.yml | 3 ++- etc/kayobe/seed.yml | 3 ++- etc/kayobe/storage.yml | 5 +++-- .../notes/centos-bootstrap-user-4ee02dee551c62a6.yaml | 10 ++++++++++ 19 files changed, 59 insertions(+), 34 deletions(-) create mode 100644 releasenotes/notes/centos-bootstrap-user-4ee02dee551c62a6.yaml diff --git a/ansible/inventory/group_vars/all/compute b/ansible/inventory/group_vars/all/compute index 6e0dd86c7..30878e069 100644 --- a/ansible/inventory/group_vars/all/compute +++ b/ansible/inventory/group_vars/all/compute @@ -2,9 +2,10 @@ ############################################################################### # Compute node configuration. -# User with which to access the computes via SSH during bootstrap, in order -# to setup the Kayobe user account. Default is {{ os_distribution }}. -compute_bootstrap_user: "{{ os_distribution }}" +# User with which to access the compute nodes via SSH during bootstrap, in +# order to setup the Kayobe user account. Default is 'cloud-user' if +# os_distribution is set to centos, otherwise 'os_distribution'. +compute_bootstrap_user: "{{ 'cloud-user' if os_distribution == 'centos' else os_distribution }}" ############################################################################### # Compute network interface configuration. diff --git a/ansible/inventory/group_vars/all/controllers b/ansible/inventory/group_vars/all/controllers index b1fa12b07..5d2f2b804 100644 --- a/ansible/inventory/group_vars/all/controllers +++ b/ansible/inventory/group_vars/all/controllers @@ -3,8 +3,9 @@ # Controller node configuration. # User with which to access the controllers via SSH during bootstrap, in order -# to setup the Kayobe user account. Default is {{ os_distribution }}. -controller_bootstrap_user: "{{ os_distribution }}" +# to setup the Kayobe user account. Default is 'cloud-user' if os_distribution +# is set to centos, otherwise 'os_distribution'. +controller_bootstrap_user: "{{ 'cloud-user' if os_distribution == 'centos' else os_distribution }}" ############################################################################### # Controller groups. diff --git a/ansible/inventory/group_vars/all/infra-vms b/ansible/inventory/group_vars/all/infra-vms index 65f5b9bce..2105c5e3e 100644 --- a/ansible/inventory/group_vars/all/infra-vms +++ b/ansible/inventory/group_vars/all/infra-vms @@ -86,8 +86,9 @@ infra_vm_machine: # Infrastructure VM node configuration. # User with which to access the infrastructure vm via SSH during bootstrap, in -# order to setup the Kayobe user account. Default is {{ os_distribution }}. -infra_vm_bootstrap_user: "{{ os_distribution }}" +# order to setup the Kayobe user account. Default is 'cloud-user' if +# os_distribution is set to centos, otherwise 'os_distribution'. +infra_vm_bootstrap_user: "{{ 'cloud-user' if os_distribution == 'centos' else os_distribution }}" ############################################################################### # Infrastructure VM network interface configuration. diff --git a/ansible/inventory/group_vars/all/monitoring b/ansible/inventory/group_vars/all/monitoring index 56da639e9..ee1fa4ebc 100644 --- a/ansible/inventory/group_vars/all/monitoring +++ b/ansible/inventory/group_vars/all/monitoring @@ -3,7 +3,8 @@ # Monitoring node configuration. # User with which to access the monitoring nodes via SSH during bootstrap, in -# order to setup the Kayobe user account. +# order to setup the Kayobe user account. Default is 'cloud-user' if +# os_distribution is set to centos, otherwise 'os_distribution'. monitoring_bootstrap_user: "{{ controller_bootstrap_user }}" ############################################################################### diff --git a/ansible/inventory/group_vars/all/seed b/ansible/inventory/group_vars/all/seed index f5b1bd38d..37d4497d9 100644 --- a/ansible/inventory/group_vars/all/seed +++ b/ansible/inventory/group_vars/all/seed @@ -3,8 +3,9 @@ # Seed node configuration. # User with which to access the seed via SSH during bootstrap, in order to -# setup the Kayobe user account. Default is {{ os_distribution }}. -seed_bootstrap_user: "{{ os_distribution }}" +# setup the Kayobe user account. Default is 'cloud-user' if os_distribution is +# set to centos, otherwise 'os_distribution'. +seed_bootstrap_user: "{{ 'cloud-user' if os_distribution == 'centos' else os_distribution }}" ############################################################################### # Seed network interface configuration. diff --git a/ansible/inventory/group_vars/all/seed-hypervisor b/ansible/inventory/group_vars/all/seed-hypervisor index 9b9cf889f..0c2a0e6f9 100644 --- a/ansible/inventory/group_vars/all/seed-hypervisor +++ b/ansible/inventory/group_vars/all/seed-hypervisor @@ -3,8 +3,9 @@ # Seed hypervisor node configuration. # User with which to access the seed hypervisor via SSH during bootstrap, in -# order to setup the Kayobe user account. Default is {{ os_distribution }}. -seed_hypervisor_bootstrap_user: "{{ os_distribution }}" +# order to setup the Kayobe user account. Default is 'cloud-user' if +# os_distribution is set to centos, otherwise 'os_distribution'. +seed_hypervisor_bootstrap_user: "{{ 'cloud-user' if os_distribution == 'centos' else os_distribution }}" ############################################################################### # Seed hypervisor network interface configuration. diff --git a/ansible/inventory/group_vars/all/storage b/ansible/inventory/group_vars/all/storage index ff4f20d5f..429c0e816 100644 --- a/ansible/inventory/group_vars/all/storage +++ b/ansible/inventory/group_vars/all/storage @@ -2,9 +2,10 @@ ############################################################################### # Storage node configuration. -# User with which to access the storages via SSH during bootstrap, in order -# to setup the Kayobe user account. Default is {{ os_distribution }}. -storage_bootstrap_user: "{{ os_distribution }}" +# User with which to access the storage nodes via SSH during bootstrap, in +# order to setup the Kayobe user account. Default is 'cloud-user' if +# os_distribution is set to centos, otherwise 'os_distribution'. +storage_bootstrap_user: "{{ 'cloud-user' if os_distribution == 'centos' else os_distribution }}" ############################################################################### # Storage network interface configuration. diff --git a/doc/source/configuration/reference/hosts.rst b/doc/source/configuration/reference/hosts.rst index 6b08e84ab..edda6514a 100644 --- a/doc/source/configuration/reference/hosts.rst +++ b/doc/source/configuration/reference/hosts.rst @@ -79,8 +79,9 @@ is ``stack``. Typically, the image used to provision these hosts will not include this user account, so Kayobe performs a bootstrapping step to create it, as a different user. In cloud images, there is often a user named after the OS distro, e.g. -``centos``, ``rocky`` or ``ubuntu``. This user defaults to the -``os_distribution`` variable, but may be set via the following variables: +``rocky`` or ``ubuntu``. This user defaults to the ``os_distribution`` +variable, except for CentOS which uses ``cloud-user``, but may be set via the +following variables: * ``seed_hypervisor_bootstrap_user`` * ``seed_bootstrap_user`` diff --git a/doc/source/configuration/scenarios/all-in-one/index.rst b/doc/source/configuration/scenarios/all-in-one/index.rst index 750a2487d..1c7e33d71 100644 --- a/doc/source/configuration/scenarios/all-in-one/index.rst +++ b/doc/source/configuration/scenarios/all-in-one/index.rst @@ -30,7 +30,7 @@ It also requires a single host running a :ref:`supported operating system * at least one network interface that has Internet access You will need access to a user account with passwordless sudo. The default user -in a cloud image (e.g. ``centos`` or ``rocky`` or ``ubuntu``) is typically +in a cloud image (e.g. ``cloud-user`` or ``rocky`` or ``ubuntu``) is typically sufficient. This user will be used to run Kayobe commands. It will also be used by Kayobe to bootstrap other user accounts. diff --git a/doc/source/configuration/scenarios/all-in-one/overcloud.rst b/doc/source/configuration/scenarios/all-in-one/overcloud.rst index 2992877ab..2677df323 100644 --- a/doc/source/configuration/scenarios/all-in-one/overcloud.rst +++ b/doc/source/configuration/scenarios/all-in-one/overcloud.rst @@ -219,11 +219,11 @@ or ``rocky`` if using Rocky Linux.. os_distribution: "ubuntu" Kayobe uses a bootstrap user to create a ``stack`` user account. By default, -this user is ``centos`` on CentOS, ``rocky`` on Rocky and ``ubuntu`` on Ubuntu, -in line with the default user in the official cloud images. If you are using -a different bootstrap user, set the ``controller_bootstrap_user`` variable in -``etc/kayobe/controllers.yml``. For example, to set it to ``cloud-user`` (as -seen in MAAS): +this user is ``cloud-user`` on CentOS, ``rocky`` on Rocky and ``ubuntu`` on +Ubuntu, in line with the default user in the official cloud images. If you are +using a different bootstrap user, set the ``controller_bootstrap_user`` +variable in ``etc/kayobe/controllers.yml``. For example, to set it to +``cloud-user`` (as seen in MAAS): .. code-block:: yaml :caption: ``etc/kayobe/controllers.yml`` diff --git a/doc/source/contributor/automated.rst b/doc/source/contributor/automated.rst index 8db00d530..316588b4a 100644 --- a/doc/source/contributor/automated.rst +++ b/doc/source/contributor/automated.rst @@ -309,8 +309,8 @@ It is now possible to discover, inspect and provision the controller VM:: kayobe overcloud hardware inspect kayobe overcloud provision -The controller VM is now accessible via SSH as the bootstrap user (``centos`` -or ``ubuntu``) at ``192.168.33.3``. +The controller VM is now accessible via SSH as the bootstrap user +(``cloud-user``, ``rocky`` or ``ubuntu``) at ``192.168.33.3``. The machines and networking created by Tenks can be cleaned up via ``dev/tenks-teardown-overcloud.sh``:: diff --git a/etc/kayobe/compute.yml b/etc/kayobe/compute.yml index 5572bbe00..f27522349 100644 --- a/etc/kayobe/compute.yml +++ b/etc/kayobe/compute.yml @@ -2,8 +2,9 @@ ############################################################################### # Compute node configuration. -# User with which to access the computes via SSH during bootstrap, in order -# to setup the Kayobe user account. Default is {{ os_distribution }}. +# User with which to access the compute nodes via SSH during bootstrap, in +# order to setup the Kayobe user account. Default is 'cloud-user' if +# os_distribution is set to centos, otherwise 'os_distribution'. #compute_bootstrap_user: ############################################################################### diff --git a/etc/kayobe/controllers.yml b/etc/kayobe/controllers.yml index d974cc6b1..caa03a6ff 100644 --- a/etc/kayobe/controllers.yml +++ b/etc/kayobe/controllers.yml @@ -3,7 +3,8 @@ # Controller node configuration. # User with which to access the controllers via SSH during bootstrap, in order -# to setup the Kayobe user account. Default is {{ os_distribution }}. +# to setup the Kayobe user account. Default is 'cloud-user' if os_distribution +# is set to centos, otherwise 'os_distribution'. #controller_bootstrap_user: ############################################################################### diff --git a/etc/kayobe/infra-vms.yml b/etc/kayobe/infra-vms.yml index 994f82d96..abbd24e68 100644 --- a/etc/kayobe/infra-vms.yml +++ b/etc/kayobe/infra-vms.yml @@ -68,7 +68,8 @@ # Infrastructure VM node configuration. # User with which to access the infrastructure vm via SSH during bootstrap, in -# order to setup the Kayobe user account. +# order to setup the Kayobe user account. Default is 'cloud-user' if +# os_distribution is set to centos, otherwise 'os_distribution'. #infra_vm_bootstrap_user: ############################################################################### diff --git a/etc/kayobe/monitoring.yml b/etc/kayobe/monitoring.yml index 5468936d3..5a19d7023 100644 --- a/etc/kayobe/monitoring.yml +++ b/etc/kayobe/monitoring.yml @@ -3,7 +3,8 @@ # Monitoring node configuration. # User with which to access the monitoring nodes via SSH during bootstrap, in -# order to setup the Kayobe user account. +# order to setup the Kayobe user account. Default is 'cloud-user' if +# os_distribution is set to centos, otherwise 'os_distribution'. #monitoring_bootstrap_user: ############################################################################### diff --git a/etc/kayobe/seed-hypervisor.yml b/etc/kayobe/seed-hypervisor.yml index dd8fbca23..cded893f9 100644 --- a/etc/kayobe/seed-hypervisor.yml +++ b/etc/kayobe/seed-hypervisor.yml @@ -3,7 +3,8 @@ # Seed hypervisor node configuration. # User with which to access the seed hypervisor via SSH during bootstrap, in -# order to setup the Kayobe user account. Default is {{ os_distribution }}. +# order to setup the Kayobe user account. Default is 'cloud-user' if +# os_distribution is set to centos, otherwise 'os_distribution'. #seed_hypervisor_bootstrap_user: ############################################################################### diff --git a/etc/kayobe/seed.yml b/etc/kayobe/seed.yml index 48bcfb878..9f4f7055b 100644 --- a/etc/kayobe/seed.yml +++ b/etc/kayobe/seed.yml @@ -3,7 +3,8 @@ # Seed node configuration. # User with which to access the seed via SSH during bootstrap, in order to -# setup the Kayobe user account. Default is {{ os_distribution }}. +# setup the Kayobe user account. Default is 'cloud-user' if os_distribution is +# set to centos, otherwise 'os_distribution'. #seed_bootstrap_user: ############################################################################### diff --git a/etc/kayobe/storage.yml b/etc/kayobe/storage.yml index 2cdac5bed..1866e6df3 100644 --- a/etc/kayobe/storage.yml +++ b/etc/kayobe/storage.yml @@ -2,8 +2,9 @@ ############################################################################### # Storage node configuration. -# User with which to access the storages via SSH during bootstrap, in order -# to setup the Kayobe user account. Default is {{ os_distribution }}. +# User with which to access the storage nodes via SSH during bootstrap, in +# order to setup the Kayobe user account. Default is 'cloud-user' if +# os_distribution is set to centos, otherwise 'os_distribution'. #storage_bootstrap_user: ############################################################################### diff --git a/releasenotes/notes/centos-bootstrap-user-4ee02dee551c62a6.yaml b/releasenotes/notes/centos-bootstrap-user-4ee02dee551c62a6.yaml new file mode 100644 index 000000000..045a74b19 --- /dev/null +++ b/releasenotes/notes/centos-bootstrap-user-4ee02dee551c62a6.yaml @@ -0,0 +1,10 @@ +--- +upgrade: + - | + The default bootstrap user has been changed to ``cloud-user`` if + ``os_distribution`` is set to ``centos``. Set ``*_bootstrap_user`` + variables to ``centos`` to retain existing behaviour. +fixes: + - | + The default bootstrap user has been changed to ``cloud-user`` if + ``os_distribution`` is set to ``centos``, to match official cloud images. From f5a5ddb043248e09461996907dcc6312bd7f7dd0 Mon Sep 17 00:00:00 2001 From: Matt Anson Date: Fri, 12 Sep 2025 20:41:57 +0100 Subject: [PATCH 074/187] Explicity set --check and --diff in kolla-ansible Kolla Ansible no longer supports appending the content of the EXTRA_OPTS environment variable to the ansible-playbook command. Kolla Ansible now supports --check and --diff as explicit CLI arguments, so explicitly pass them into kolla-ansible. Closes-Bug: #2123834 Change-Id: Ia91e5539f4338c8209fbe92739bce916c10b2b7a Signed-off-by: Matt Anson --- kayobe/kolla_ansible.py | 12 ++++-------- kayobe/tests/unit/test_kolla_ansible.py | 7 ++++--- ...olla-check-diff--extra-opts-03bc183075f59ada.yaml | 6 ++++++ 3 files changed, 14 insertions(+), 11 deletions(-) create mode 100644 releasenotes/notes/kolla-check-diff--extra-opts-03bc183075f59ada.yaml diff --git a/kayobe/kolla_ansible.py b/kayobe/kolla_ansible.py index c06faafc3..7b5c990c9 100644 --- a/kayobe/kolla_ansible.py +++ b/kayobe/kolla_ansible.py @@ -172,6 +172,10 @@ def build_args(parsed_args, command, inventory_filename, extra_vars=None, cmd += ["--tags", ",".join(all_tags)] if parsed_args.list_tasks: cmd += ["--list-tasks"] + if parsed_args.check: + cmd += ["--check"] + if parsed_args.diff: + cmd += ["--diff"] if extra_args: cmd += extra_args return cmd @@ -191,14 +195,6 @@ def _get_environment(parsed_args): ansible_cfg_path = os.path.join(parsed_args.config_path, "ansible.cfg") if utils.is_readable_file(ansible_cfg_path)["result"]: env.setdefault("ANSIBLE_CONFIG", ansible_cfg_path) - # kolla-ansible allows passing additional arguments to ansible-playbook via - # EXTRA_OPTS. - if parsed_args.check or parsed_args.diff: - extra_opts = env.setdefault("EXTRA_OPTS", "") - if parsed_args.check and "--check" not in extra_opts: - env["EXTRA_OPTS"] += " --check" - if parsed_args.diff and "--diff" not in extra_opts: - env["EXTRA_OPTS"] += " --diff" return env diff --git a/kayobe/tests/unit/test_kolla_ansible.py b/kayobe/tests/unit/test_kolla_ansible.py index 23b2eccf8..68ddab221 100644 --- a/kayobe/tests/unit/test_kolla_ansible.py +++ b/kayobe/tests/unit/test_kolla_ansible.py @@ -77,9 +77,10 @@ def test_run_all_the_args(self, mock_validate, mock_run): "-e", "ev_name1=ev_value1", "--limit", "'host1:host2'", "--tags", "tag1,tag2", + "--check", "--diff" ] expected_cmd = " ".join(expected_cmd) - expected_env = {"EXTRA_OPTS": " --check --diff"} + expected_env = {} mock_run.assert_called_once_with(expected_cmd, shell=True, quiet=False, env=expected_env) @@ -119,10 +120,10 @@ def test_run_all_the_long_args(self, mock_ask, mock_validate, mock_run): "--limit", "'host1:host2'", "--skip-tags", "tag3,tag4", "--tags", "tag1,tag2", + "--check", "--diff" ] expected_cmd = " ".join(expected_cmd) - expected_env = {"EXTRA_OPTS": " --check --diff", - "KAYOBE_VAULT_PASSWORD": "test-pass"} + expected_env = {"KAYOBE_VAULT_PASSWORD": "test-pass"} expected_calls = [ mock.call(["which", "kayobe-vault-password-helper"], check_output=True, universal_newlines=True), diff --git a/releasenotes/notes/kolla-check-diff--extra-opts-03bc183075f59ada.yaml b/releasenotes/notes/kolla-check-diff--extra-opts-03bc183075f59ada.yaml new file mode 100644 index 000000000..8c418f91a --- /dev/null +++ b/releasenotes/notes/kolla-check-diff--extra-opts-03bc183075f59ada.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fixes ``--check`` and ``--diff`` CLI arguments not being passed into + Kolla Ansible commands. + `LP#2123834 `__ From b9bc2c5edb349e170b22c33f6ca9dda835c9d1ec Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 17 Sep 2025 23:05:48 +0200 Subject: [PATCH 075/187] Fix disabling NetworkManager DNS management on Rocky Linux 10 Change-Id: I9e968eb26747d690f1dd0cf138497311e9360cff Signed-off-by: Pierre Riteau --- ansible/roles/network-redhat/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/network-redhat/tasks/main.yml b/ansible/roles/network-redhat/tasks/main.yml index c73e31152..c8f07780e 100644 --- a/ansible/roles/network-redhat/tasks/main.yml +++ b/ansible/roles/network-redhat/tasks/main.yml @@ -18,7 +18,7 @@ - option: rc-manager value: unmanaged when: - - ansible_facts.os_family == "RedHat" and ansible_facts.distribution_major_version == "9" + - ansible_facts.os_family == "RedHat" and ansible_facts.distribution_major_version | int >= 9 register: dns_config_task - name: Reload NetworkManager with DNS config From 892d9a9cb82d2ebb90c042765871613701dc9762 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 19 Sep 2025 14:34:02 +0200 Subject: [PATCH 076/187] Change default centos bootstrap user to cloud-user This matches the default user in CentOS GenericCloud images. Change-Id: I3a4279178a39a4ad9f834832f3616acaff092212 Signed-off-by: Pierre Riteau --- ansible/inventory/group_vars/all/compute | 7 ++++--- ansible/inventory/group_vars/all/controllers | 5 +++-- ansible/inventory/group_vars/all/infra-vms | 5 +++-- ansible/inventory/group_vars/all/monitoring | 3 ++- ansible/inventory/group_vars/all/seed | 5 +++-- ansible/inventory/group_vars/all/seed-hypervisor | 5 +++-- ansible/inventory/group_vars/all/storage | 7 ++++--- doc/source/configuration/reference/hosts.rst | 5 +++-- .../configuration/scenarios/all-in-one/index.rst | 2 +- .../configuration/scenarios/all-in-one/overcloud.rst | 10 +++++----- doc/source/contributor/automated.rst | 4 ++-- etc/kayobe/compute.yml | 5 +++-- etc/kayobe/controllers.yml | 3 ++- etc/kayobe/infra-vms.yml | 3 ++- etc/kayobe/monitoring.yml | 3 ++- etc/kayobe/seed-hypervisor.yml | 3 ++- etc/kayobe/seed.yml | 3 ++- etc/kayobe/storage.yml | 5 +++-- .../notes/centos-bootstrap-user-4ee02dee551c62a6.yaml | 10 ++++++++++ 19 files changed, 59 insertions(+), 34 deletions(-) create mode 100644 releasenotes/notes/centos-bootstrap-user-4ee02dee551c62a6.yaml diff --git a/ansible/inventory/group_vars/all/compute b/ansible/inventory/group_vars/all/compute index 6e0dd86c7..30878e069 100644 --- a/ansible/inventory/group_vars/all/compute +++ b/ansible/inventory/group_vars/all/compute @@ -2,9 +2,10 @@ ############################################################################### # Compute node configuration. -# User with which to access the computes via SSH during bootstrap, in order -# to setup the Kayobe user account. Default is {{ os_distribution }}. -compute_bootstrap_user: "{{ os_distribution }}" +# User with which to access the compute nodes via SSH during bootstrap, in +# order to setup the Kayobe user account. Default is 'cloud-user' if +# os_distribution is set to centos, otherwise 'os_distribution'. +compute_bootstrap_user: "{{ 'cloud-user' if os_distribution == 'centos' else os_distribution }}" ############################################################################### # Compute network interface configuration. diff --git a/ansible/inventory/group_vars/all/controllers b/ansible/inventory/group_vars/all/controllers index b1fa12b07..5d2f2b804 100644 --- a/ansible/inventory/group_vars/all/controllers +++ b/ansible/inventory/group_vars/all/controllers @@ -3,8 +3,9 @@ # Controller node configuration. # User with which to access the controllers via SSH during bootstrap, in order -# to setup the Kayobe user account. Default is {{ os_distribution }}. -controller_bootstrap_user: "{{ os_distribution }}" +# to setup the Kayobe user account. Default is 'cloud-user' if os_distribution +# is set to centos, otherwise 'os_distribution'. +controller_bootstrap_user: "{{ 'cloud-user' if os_distribution == 'centos' else os_distribution }}" ############################################################################### # Controller groups. diff --git a/ansible/inventory/group_vars/all/infra-vms b/ansible/inventory/group_vars/all/infra-vms index 65f5b9bce..2105c5e3e 100644 --- a/ansible/inventory/group_vars/all/infra-vms +++ b/ansible/inventory/group_vars/all/infra-vms @@ -86,8 +86,9 @@ infra_vm_machine: # Infrastructure VM node configuration. # User with which to access the infrastructure vm via SSH during bootstrap, in -# order to setup the Kayobe user account. Default is {{ os_distribution }}. -infra_vm_bootstrap_user: "{{ os_distribution }}" +# order to setup the Kayobe user account. Default is 'cloud-user' if +# os_distribution is set to centos, otherwise 'os_distribution'. +infra_vm_bootstrap_user: "{{ 'cloud-user' if os_distribution == 'centos' else os_distribution }}" ############################################################################### # Infrastructure VM network interface configuration. diff --git a/ansible/inventory/group_vars/all/monitoring b/ansible/inventory/group_vars/all/monitoring index 56da639e9..ee1fa4ebc 100644 --- a/ansible/inventory/group_vars/all/monitoring +++ b/ansible/inventory/group_vars/all/monitoring @@ -3,7 +3,8 @@ # Monitoring node configuration. # User with which to access the monitoring nodes via SSH during bootstrap, in -# order to setup the Kayobe user account. +# order to setup the Kayobe user account. Default is 'cloud-user' if +# os_distribution is set to centos, otherwise 'os_distribution'. monitoring_bootstrap_user: "{{ controller_bootstrap_user }}" ############################################################################### diff --git a/ansible/inventory/group_vars/all/seed b/ansible/inventory/group_vars/all/seed index f5b1bd38d..37d4497d9 100644 --- a/ansible/inventory/group_vars/all/seed +++ b/ansible/inventory/group_vars/all/seed @@ -3,8 +3,9 @@ # Seed node configuration. # User with which to access the seed via SSH during bootstrap, in order to -# setup the Kayobe user account. Default is {{ os_distribution }}. -seed_bootstrap_user: "{{ os_distribution }}" +# setup the Kayobe user account. Default is 'cloud-user' if os_distribution is +# set to centos, otherwise 'os_distribution'. +seed_bootstrap_user: "{{ 'cloud-user' if os_distribution == 'centos' else os_distribution }}" ############################################################################### # Seed network interface configuration. diff --git a/ansible/inventory/group_vars/all/seed-hypervisor b/ansible/inventory/group_vars/all/seed-hypervisor index 9b9cf889f..0c2a0e6f9 100644 --- a/ansible/inventory/group_vars/all/seed-hypervisor +++ b/ansible/inventory/group_vars/all/seed-hypervisor @@ -3,8 +3,9 @@ # Seed hypervisor node configuration. # User with which to access the seed hypervisor via SSH during bootstrap, in -# order to setup the Kayobe user account. Default is {{ os_distribution }}. -seed_hypervisor_bootstrap_user: "{{ os_distribution }}" +# order to setup the Kayobe user account. Default is 'cloud-user' if +# os_distribution is set to centos, otherwise 'os_distribution'. +seed_hypervisor_bootstrap_user: "{{ 'cloud-user' if os_distribution == 'centos' else os_distribution }}" ############################################################################### # Seed hypervisor network interface configuration. diff --git a/ansible/inventory/group_vars/all/storage b/ansible/inventory/group_vars/all/storage index ff4f20d5f..429c0e816 100644 --- a/ansible/inventory/group_vars/all/storage +++ b/ansible/inventory/group_vars/all/storage @@ -2,9 +2,10 @@ ############################################################################### # Storage node configuration. -# User with which to access the storages via SSH during bootstrap, in order -# to setup the Kayobe user account. Default is {{ os_distribution }}. -storage_bootstrap_user: "{{ os_distribution }}" +# User with which to access the storage nodes via SSH during bootstrap, in +# order to setup the Kayobe user account. Default is 'cloud-user' if +# os_distribution is set to centos, otherwise 'os_distribution'. +storage_bootstrap_user: "{{ 'cloud-user' if os_distribution == 'centos' else os_distribution }}" ############################################################################### # Storage network interface configuration. diff --git a/doc/source/configuration/reference/hosts.rst b/doc/source/configuration/reference/hosts.rst index 6b08e84ab..edda6514a 100644 --- a/doc/source/configuration/reference/hosts.rst +++ b/doc/source/configuration/reference/hosts.rst @@ -79,8 +79,9 @@ is ``stack``. Typically, the image used to provision these hosts will not include this user account, so Kayobe performs a bootstrapping step to create it, as a different user. In cloud images, there is often a user named after the OS distro, e.g. -``centos``, ``rocky`` or ``ubuntu``. This user defaults to the -``os_distribution`` variable, but may be set via the following variables: +``rocky`` or ``ubuntu``. This user defaults to the ``os_distribution`` +variable, except for CentOS which uses ``cloud-user``, but may be set via the +following variables: * ``seed_hypervisor_bootstrap_user`` * ``seed_bootstrap_user`` diff --git a/doc/source/configuration/scenarios/all-in-one/index.rst b/doc/source/configuration/scenarios/all-in-one/index.rst index 750a2487d..1c7e33d71 100644 --- a/doc/source/configuration/scenarios/all-in-one/index.rst +++ b/doc/source/configuration/scenarios/all-in-one/index.rst @@ -30,7 +30,7 @@ It also requires a single host running a :ref:`supported operating system * at least one network interface that has Internet access You will need access to a user account with passwordless sudo. The default user -in a cloud image (e.g. ``centos`` or ``rocky`` or ``ubuntu``) is typically +in a cloud image (e.g. ``cloud-user`` or ``rocky`` or ``ubuntu``) is typically sufficient. This user will be used to run Kayobe commands. It will also be used by Kayobe to bootstrap other user accounts. diff --git a/doc/source/configuration/scenarios/all-in-one/overcloud.rst b/doc/source/configuration/scenarios/all-in-one/overcloud.rst index 2992877ab..2677df323 100644 --- a/doc/source/configuration/scenarios/all-in-one/overcloud.rst +++ b/doc/source/configuration/scenarios/all-in-one/overcloud.rst @@ -219,11 +219,11 @@ or ``rocky`` if using Rocky Linux.. os_distribution: "ubuntu" Kayobe uses a bootstrap user to create a ``stack`` user account. By default, -this user is ``centos`` on CentOS, ``rocky`` on Rocky and ``ubuntu`` on Ubuntu, -in line with the default user in the official cloud images. If you are using -a different bootstrap user, set the ``controller_bootstrap_user`` variable in -``etc/kayobe/controllers.yml``. For example, to set it to ``cloud-user`` (as -seen in MAAS): +this user is ``cloud-user`` on CentOS, ``rocky`` on Rocky and ``ubuntu`` on +Ubuntu, in line with the default user in the official cloud images. If you are +using a different bootstrap user, set the ``controller_bootstrap_user`` +variable in ``etc/kayobe/controllers.yml``. For example, to set it to +``cloud-user`` (as seen in MAAS): .. code-block:: yaml :caption: ``etc/kayobe/controllers.yml`` diff --git a/doc/source/contributor/automated.rst b/doc/source/contributor/automated.rst index 8db00d530..316588b4a 100644 --- a/doc/source/contributor/automated.rst +++ b/doc/source/contributor/automated.rst @@ -309,8 +309,8 @@ It is now possible to discover, inspect and provision the controller VM:: kayobe overcloud hardware inspect kayobe overcloud provision -The controller VM is now accessible via SSH as the bootstrap user (``centos`` -or ``ubuntu``) at ``192.168.33.3``. +The controller VM is now accessible via SSH as the bootstrap user +(``cloud-user``, ``rocky`` or ``ubuntu``) at ``192.168.33.3``. The machines and networking created by Tenks can be cleaned up via ``dev/tenks-teardown-overcloud.sh``:: diff --git a/etc/kayobe/compute.yml b/etc/kayobe/compute.yml index 5572bbe00..f27522349 100644 --- a/etc/kayobe/compute.yml +++ b/etc/kayobe/compute.yml @@ -2,8 +2,9 @@ ############################################################################### # Compute node configuration. -# User with which to access the computes via SSH during bootstrap, in order -# to setup the Kayobe user account. Default is {{ os_distribution }}. +# User with which to access the compute nodes via SSH during bootstrap, in +# order to setup the Kayobe user account. Default is 'cloud-user' if +# os_distribution is set to centos, otherwise 'os_distribution'. #compute_bootstrap_user: ############################################################################### diff --git a/etc/kayobe/controllers.yml b/etc/kayobe/controllers.yml index d974cc6b1..caa03a6ff 100644 --- a/etc/kayobe/controllers.yml +++ b/etc/kayobe/controllers.yml @@ -3,7 +3,8 @@ # Controller node configuration. # User with which to access the controllers via SSH during bootstrap, in order -# to setup the Kayobe user account. Default is {{ os_distribution }}. +# to setup the Kayobe user account. Default is 'cloud-user' if os_distribution +# is set to centos, otherwise 'os_distribution'. #controller_bootstrap_user: ############################################################################### diff --git a/etc/kayobe/infra-vms.yml b/etc/kayobe/infra-vms.yml index 994f82d96..abbd24e68 100644 --- a/etc/kayobe/infra-vms.yml +++ b/etc/kayobe/infra-vms.yml @@ -68,7 +68,8 @@ # Infrastructure VM node configuration. # User with which to access the infrastructure vm via SSH during bootstrap, in -# order to setup the Kayobe user account. +# order to setup the Kayobe user account. Default is 'cloud-user' if +# os_distribution is set to centos, otherwise 'os_distribution'. #infra_vm_bootstrap_user: ############################################################################### diff --git a/etc/kayobe/monitoring.yml b/etc/kayobe/monitoring.yml index 5468936d3..5a19d7023 100644 --- a/etc/kayobe/monitoring.yml +++ b/etc/kayobe/monitoring.yml @@ -3,7 +3,8 @@ # Monitoring node configuration. # User with which to access the monitoring nodes via SSH during bootstrap, in -# order to setup the Kayobe user account. +# order to setup the Kayobe user account. Default is 'cloud-user' if +# os_distribution is set to centos, otherwise 'os_distribution'. #monitoring_bootstrap_user: ############################################################################### diff --git a/etc/kayobe/seed-hypervisor.yml b/etc/kayobe/seed-hypervisor.yml index dd8fbca23..cded893f9 100644 --- a/etc/kayobe/seed-hypervisor.yml +++ b/etc/kayobe/seed-hypervisor.yml @@ -3,7 +3,8 @@ # Seed hypervisor node configuration. # User with which to access the seed hypervisor via SSH during bootstrap, in -# order to setup the Kayobe user account. Default is {{ os_distribution }}. +# order to setup the Kayobe user account. Default is 'cloud-user' if +# os_distribution is set to centos, otherwise 'os_distribution'. #seed_hypervisor_bootstrap_user: ############################################################################### diff --git a/etc/kayobe/seed.yml b/etc/kayobe/seed.yml index 48bcfb878..9f4f7055b 100644 --- a/etc/kayobe/seed.yml +++ b/etc/kayobe/seed.yml @@ -3,7 +3,8 @@ # Seed node configuration. # User with which to access the seed via SSH during bootstrap, in order to -# setup the Kayobe user account. Default is {{ os_distribution }}. +# setup the Kayobe user account. Default is 'cloud-user' if os_distribution is +# set to centos, otherwise 'os_distribution'. #seed_bootstrap_user: ############################################################################### diff --git a/etc/kayobe/storage.yml b/etc/kayobe/storage.yml index 2cdac5bed..1866e6df3 100644 --- a/etc/kayobe/storage.yml +++ b/etc/kayobe/storage.yml @@ -2,8 +2,9 @@ ############################################################################### # Storage node configuration. -# User with which to access the storages via SSH during bootstrap, in order -# to setup the Kayobe user account. Default is {{ os_distribution }}. +# User with which to access the storage nodes via SSH during bootstrap, in +# order to setup the Kayobe user account. Default is 'cloud-user' if +# os_distribution is set to centos, otherwise 'os_distribution'. #storage_bootstrap_user: ############################################################################### diff --git a/releasenotes/notes/centos-bootstrap-user-4ee02dee551c62a6.yaml b/releasenotes/notes/centos-bootstrap-user-4ee02dee551c62a6.yaml new file mode 100644 index 000000000..045a74b19 --- /dev/null +++ b/releasenotes/notes/centos-bootstrap-user-4ee02dee551c62a6.yaml @@ -0,0 +1,10 @@ +--- +upgrade: + - | + The default bootstrap user has been changed to ``cloud-user`` if + ``os_distribution`` is set to ``centos``. Set ``*_bootstrap_user`` + variables to ``centos`` to retain existing behaviour. +fixes: + - | + The default bootstrap user has been changed to ``cloud-user`` if + ``os_distribution`` is set to ``centos``, to match official cloud images. From 141c35f5540289f812a65889f68b6fc005286080 Mon Sep 17 00:00:00 2001 From: Matt Anson Date: Fri, 12 Sep 2025 20:41:57 +0100 Subject: [PATCH 077/187] Explicity set --check and --diff in kolla-ansible Kolla Ansible no longer supports appending the content of the EXTRA_OPTS environment variable to the ansible-playbook command. Kolla Ansible now supports --check and --diff as explicit CLI arguments, so explicitly pass them into kolla-ansible. Closes-Bug: #2123834 Change-Id: Ia91e5539f4338c8209fbe92739bce916c10b2b7a Signed-off-by: Matt Anson --- kayobe/kolla_ansible.py | 12 ++++-------- kayobe/tests/unit/test_kolla_ansible.py | 7 ++++--- ...olla-check-diff--extra-opts-03bc183075f59ada.yaml | 6 ++++++ 3 files changed, 14 insertions(+), 11 deletions(-) create mode 100644 releasenotes/notes/kolla-check-diff--extra-opts-03bc183075f59ada.yaml diff --git a/kayobe/kolla_ansible.py b/kayobe/kolla_ansible.py index c06faafc3..7b5c990c9 100644 --- a/kayobe/kolla_ansible.py +++ b/kayobe/kolla_ansible.py @@ -172,6 +172,10 @@ def build_args(parsed_args, command, inventory_filename, extra_vars=None, cmd += ["--tags", ",".join(all_tags)] if parsed_args.list_tasks: cmd += ["--list-tasks"] + if parsed_args.check: + cmd += ["--check"] + if parsed_args.diff: + cmd += ["--diff"] if extra_args: cmd += extra_args return cmd @@ -191,14 +195,6 @@ def _get_environment(parsed_args): ansible_cfg_path = os.path.join(parsed_args.config_path, "ansible.cfg") if utils.is_readable_file(ansible_cfg_path)["result"]: env.setdefault("ANSIBLE_CONFIG", ansible_cfg_path) - # kolla-ansible allows passing additional arguments to ansible-playbook via - # EXTRA_OPTS. - if parsed_args.check or parsed_args.diff: - extra_opts = env.setdefault("EXTRA_OPTS", "") - if parsed_args.check and "--check" not in extra_opts: - env["EXTRA_OPTS"] += " --check" - if parsed_args.diff and "--diff" not in extra_opts: - env["EXTRA_OPTS"] += " --diff" return env diff --git a/kayobe/tests/unit/test_kolla_ansible.py b/kayobe/tests/unit/test_kolla_ansible.py index 23b2eccf8..68ddab221 100644 --- a/kayobe/tests/unit/test_kolla_ansible.py +++ b/kayobe/tests/unit/test_kolla_ansible.py @@ -77,9 +77,10 @@ def test_run_all_the_args(self, mock_validate, mock_run): "-e", "ev_name1=ev_value1", "--limit", "'host1:host2'", "--tags", "tag1,tag2", + "--check", "--diff" ] expected_cmd = " ".join(expected_cmd) - expected_env = {"EXTRA_OPTS": " --check --diff"} + expected_env = {} mock_run.assert_called_once_with(expected_cmd, shell=True, quiet=False, env=expected_env) @@ -119,10 +120,10 @@ def test_run_all_the_long_args(self, mock_ask, mock_validate, mock_run): "--limit", "'host1:host2'", "--skip-tags", "tag3,tag4", "--tags", "tag1,tag2", + "--check", "--diff" ] expected_cmd = " ".join(expected_cmd) - expected_env = {"EXTRA_OPTS": " --check --diff", - "KAYOBE_VAULT_PASSWORD": "test-pass"} + expected_env = {"KAYOBE_VAULT_PASSWORD": "test-pass"} expected_calls = [ mock.call(["which", "kayobe-vault-password-helper"], check_output=True, universal_newlines=True), diff --git a/releasenotes/notes/kolla-check-diff--extra-opts-03bc183075f59ada.yaml b/releasenotes/notes/kolla-check-diff--extra-opts-03bc183075f59ada.yaml new file mode 100644 index 000000000..8c418f91a --- /dev/null +++ b/releasenotes/notes/kolla-check-diff--extra-opts-03bc183075f59ada.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fixes ``--check`` and ``--diff`` CLI arguments not being passed into + Kolla Ansible commands. + `LP#2123834 `__ From 38742f166f6c2c2349da0c4b817566b9589eeadd Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Wed, 18 Dec 2024 16:38:03 +0100 Subject: [PATCH 078/187] ironic: Add kolla_ironic_inspection_network In more advanced Ironic network setups - all three Ironic networks should be isolated - i.e. separate networks for cleaning, inspection and provisioning. This patch implements separate inspection network. Change-Id: I527b3bf50c465604f5d2e71a15c27a65a153bec8 Signed-off-by: Will Szumski --- ansible/inventory/group_vars/all/ironic | 3 +++ ansible/provision-net.yml | 18 +++++++++++++++++- .../roles/kolla-openstack/defaults/main.yml | 3 +++ .../templates/kolla/config/ironic.conf | 1 + etc/kayobe/ironic.yml | 3 +++ ...ic-inspection-network-6cd3977447492236.yaml | 6 ++++++ 6 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/kolla-ironic-inspection-network-6cd3977447492236.yaml diff --git a/ansible/inventory/group_vars/all/ironic b/ansible/inventory/group_vars/all/ironic index 72f26e2f7..cf7dc884e 100644 --- a/ansible/inventory/group_vars/all/ironic +++ b/ansible/inventory/group_vars/all/ironic @@ -94,6 +94,9 @@ kolla_ironic_default_vendor_interface: # Name of the Neutron network to use for cleaning. kolla_ironic_cleaning_network: "{{ kolla_ironic_provisioning_network if cleaning_net_name == provision_wl_net_name else 'cleaning-net' }}" +# Name of the Neutron network to use for inspection. +kolla_ironic_inspection_network: "{{ kolla_ironic_provisioning_network if inspection_net_name == provision_wl_net_name else 'inspection-net' }}" + # Name of the Neutron network to use for provisioning. kolla_ironic_provisioning_network: 'provision-net' diff --git a/ansible/provision-net.yml b/ansible/provision-net.yml index 66d28adc7..c64a70867 100644 --- a/ansible/provision-net.yml +++ b/ansible/provision-net.yml @@ -5,17 +5,32 @@ tags: - provision-net - cleaning-net + - inspection-net tasks: - name: Create controllers group with ironic enabled group_by: key: "controllers_for_provision_net_{{ kolla_enable_ironic | bool }}" changed_when: false -- name: Ensure provisioning and cleaning networks and subnets are registered in neutron +- name: Ensure inspection, provisioning and cleaning networks and subnets are registered in neutron # Only required to run on a single host. hosts: controllers_for_provision_net_True[0] vars: venv: "{{ virtualenv_path }}/openstacksdk" + inspection_net: + name: "{{ kolla_ironic_inspection_network }}" + mtu: "{{ inspection_net_name | net_mtu | default(omit, True) }}" + provider_network_type: "{% if inspection_net_name | net_vlan %}vlan{% else %}flat{% endif %}" + provider_physical_network: "{{ inspection_net_name | net_physical_network | default('physnet1', True) }}" + provider_segmentation_id: "{{ inspection_net_name | net_vlan }}" + # Flat networks need to be shared to allow instances to use them. + shared: "{{ (inspection_net_name | net_vlan) is none }}" + subnets: + - name: "{{ kolla_ironic_inspection_network }}" + cidr: "{{ inspection_net_name | net_cidr }}" + gateway_ip: "{{ inspection_net_name | net_neutron_gateway or provision_wl_net_name | net_gateway | default(omit, True) }}" + allocation_pool_start: "{{ inspection_net_name | net_neutron_allocation_pool_start }}" + allocation_pool_end: "{{ inspection_net_name | net_neutron_allocation_pool_end }}" provision_net: name: "{{ kolla_ironic_provisioning_network }}" mtu: "{{ provision_wl_net_name | net_mtu | default(omit, True) }}" @@ -48,6 +63,7 @@ tags: - provision-net - cleaning-net + - inspection-net tasks: - name: Validate OpenStack password authentication parameters fail: diff --git a/ansible/roles/kolla-openstack/defaults/main.yml b/ansible/roles/kolla-openstack/defaults/main.yml index 0d9f2b697..2a20e3ac7 100644 --- a/ansible/roles/kolla-openstack/defaults/main.yml +++ b/ansible/roles/kolla-openstack/defaults/main.yml @@ -547,6 +547,9 @@ kolla_ironic_default_vendor_interface: # Name or UUID of the Neutron network to use for cleaning. kolla_ironic_cleaning_network: +# Name or UUID of the Neutron network to use for inspection. +kolla_ironic_inspection_network: + # Name or UUID of the Neutron network to use for provisioning. kolla_ironic_provisioning_network: diff --git a/ansible/roles/kolla-openstack/templates/kolla/config/ironic.conf b/ansible/roles/kolla-openstack/templates/kolla/config/ironic.conf index f91aad0db..79adce40c 100644 --- a/ansible/roles/kolla-openstack/templates/kolla/config/ironic.conf +++ b/ansible/roles/kolla-openstack/templates/kolla/config/ironic.conf @@ -20,6 +20,7 @@ deploy_logs_local_path = /var/log/kolla/ironic/deploy [neutron] cleaning_network = {{ kolla_ironic_cleaning_network }} +inspection_network = {{ kolla_ironic_inspection_network }} provisioning_network = {{ kolla_ironic_provisioning_network }} [pxe] diff --git a/etc/kayobe/ironic.yml b/etc/kayobe/ironic.yml index 1298fcb67..311a75695 100644 --- a/etc/kayobe/ironic.yml +++ b/etc/kayobe/ironic.yml @@ -94,6 +94,9 @@ # Name of the Neutron network to use for cleaning. #kolla_ironic_cleaning_network: +# Name of the Neutron network to use for inspection. +#kolla_ironic_inspection_network: + # Name of the Neutron network to use for provisioning. #kolla_ironic_provisioning_network: diff --git a/releasenotes/notes/kolla-ironic-inspection-network-6cd3977447492236.yaml b/releasenotes/notes/kolla-ironic-inspection-network-6cd3977447492236.yaml new file mode 100644 index 000000000..04187c12f --- /dev/null +++ b/releasenotes/notes/kolla-ironic-inspection-network-6cd3977447492236.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Adds support for ``kolla_ironic_inspection_network`` which will be created + in Neutron for Ironic Inspection purposes (defaults to using provisioning + network for backwards compatibility).. From f376ae079519c0425d76e53022801754560ac7e7 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Thu, 25 Sep 2025 09:34:16 +0100 Subject: [PATCH 079/187] Network connectivity: Fix regression with noip When using no_ip on all hosts on a given network, the _ips key will not exist in network-allocations.yml at all, so we need to tolerate this key not existing. Closes-Bug: #2125560 Change-Id: I1b71990af38a8fd6c6258a49d2b94e16496fb274 Signed-off-by: Will Szumski --- ansible/network-connectivity.yml | 2 +- ...gression-network-connectivity-no-ip-a37a2d97379a93e7.yaml | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/fixes-regression-network-connectivity-no-ip-a37a2d97379a93e7.yaml diff --git a/ansible/network-connectivity.yml b/ansible/network-connectivity.yml index 797d0f096..2d8d2ccdd 100644 --- a/ansible/network-connectivity.yml +++ b/ansible/network-connectivity.yml @@ -91,5 +91,5 @@ # in the command. Assumption was that this was being evaluated once # for the when clause and then again for the command. Bug? remote_host: "{{ remote_hosts | random(seed=ansible_facts.date_time.iso8601) }}" - remote_ip: "{{ lookup('cached', 'vars', item ~ '_ips')[remote_host] | default('', true) }}" + remote_ip: "{{ lookup('cached', 'vars', item ~ '_ips', default={})[remote_host] | default('', true) }}" mtu: "{{ item | net_mtu }}" diff --git a/releasenotes/notes/fixes-regression-network-connectivity-no-ip-a37a2d97379a93e7.yaml b/releasenotes/notes/fixes-regression-network-connectivity-no-ip-a37a2d97379a93e7.yaml new file mode 100644 index 000000000..c75267ba7 --- /dev/null +++ b/releasenotes/notes/fixes-regression-network-connectivity-no-ip-a37a2d97379a93e7.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fixes a regression in network connectivity check when using the ``no_ip`` + attribute. `LP#2125560 `__ From b491c276e789a1c1a0dd262059f3ef8bc2ba538e Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 19 Sep 2025 15:59:23 +0200 Subject: [PATCH 080/187] CI: Fix Ubuntu cloud image tests Ubuntu VMs use the ens2 interface instead of eth0. We also increase the VM provisioning timeout, since 360 seconds is not always enough to reach the point where OpenSSH is ready. Change-Id: I002cadf4c14325bbb10bbfd2efeeb87084bd4314 Signed-off-by: Pierre Riteau --- ansible/infra-vm-provision.yml | 2 +- ansible/seed-vm-provision.yml | 2 +- playbooks/kayobe-infra-vm-base/infra-vms-group-vars.j2 | 5 +++++ playbooks/kayobe-infra-vm-base/overrides.yml.j2 | 2 ++ playbooks/kayobe-seed-vm-base/overrides.yml.j2 | 2 ++ playbooks/kayobe-seed-vm-base/seed-group-vars.j2 | 5 +++++ 6 files changed, 16 insertions(+), 2 deletions(-) diff --git a/ansible/infra-vm-provision.yml b/ansible/infra-vm-provision.yml index d13754725..9ed3834f4 100644 --- a/ansible/infra-vm-provision.yml +++ b/ansible/infra-vm-provision.yml @@ -44,5 +44,5 @@ state: started # NOTE: Ensure we exceed the 5 minute DHCP timeout of the eth0 # interface if necessary. - timeout: 360 + timeout: "{{ infra_vm_provision_timeout | default(360) | int }}" delegate_to: localhost diff --git a/ansible/seed-vm-provision.yml b/ansible/seed-vm-provision.yml index 8be7364ef..1424cc5b0 100644 --- a/ansible/seed-vm-provision.yml +++ b/ansible/seed-vm-provision.yml @@ -131,4 +131,4 @@ state: started # NOTE: Ensure we exceed the 5 minute DHCP timeout of the eth0 # interface if necessary. - timeout: 360 + timeout: "{{ seed_vm_provision_timeout | default(360) | int }}" diff --git a/playbooks/kayobe-infra-vm-base/infra-vms-group-vars.j2 b/playbooks/kayobe-infra-vm-base/infra-vms-group-vars.j2 index 109707e11..94652b8d9 100644 --- a/playbooks/kayobe-infra-vm-base/infra-vms-group-vars.j2 +++ b/playbooks/kayobe-infra-vm-base/infra-vms-group-vars.j2 @@ -1,5 +1,10 @@ --- +{% if infra_vm_use_cirros | default(true) or ansible_os_family != "Debian" %} aio_interface: eth0 +{% else %} +# Required for Ubuntu cloud images +aio_interface: ens2 +{% endif %} # Route via the seed-hypervisor to the outside world. aio_gateway: 192.168.33.4 diff --git a/playbooks/kayobe-infra-vm-base/overrides.yml.j2 b/playbooks/kayobe-infra-vm-base/overrides.yml.j2 index 7fc4b3e08..4aba07951 100644 --- a/playbooks/kayobe-infra-vm-base/overrides.yml.j2 +++ b/playbooks/kayobe-infra-vm-base/overrides.yml.j2 @@ -35,6 +35,8 @@ infra_vm_memory_mb: "{{ 1 * 1024 }}" # Use cirros rather than distribution cloud image for the VM. infra_vm_bootstrap_user: cirros infra_vm_root_image: /opt/cache/files/cirros-0.5.3-x86_64-disk.img +{% else %} +infra_vm_provision_timeout: 600 {% endif %} # Cirros doesn't load cdom drivers by default. diff --git a/playbooks/kayobe-seed-vm-base/overrides.yml.j2 b/playbooks/kayobe-seed-vm-base/overrides.yml.j2 index db84c7376..8600588a9 100644 --- a/playbooks/kayobe-seed-vm-base/overrides.yml.j2 +++ b/playbooks/kayobe-seed-vm-base/overrides.yml.j2 @@ -38,6 +38,8 @@ seed_vm_memory_mb: "{{ 1 * 1024 }}" # Use cirros rather than distribution cloud image for the VM. seed_bootstrap_user: cirros seed_vm_root_image: /opt/cache/files/cirros-0.5.3-x86_64-disk.img +{% else %} +seed_vm_provision_timeout: 600 {% endif %} {% if seed_vm_boot_firmware is defined %} diff --git a/playbooks/kayobe-seed-vm-base/seed-group-vars.j2 b/playbooks/kayobe-seed-vm-base/seed-group-vars.j2 index 109707e11..64c65450e 100644 --- a/playbooks/kayobe-seed-vm-base/seed-group-vars.j2 +++ b/playbooks/kayobe-seed-vm-base/seed-group-vars.j2 @@ -1,5 +1,10 @@ --- +{% if seed_vm_use_cirros | default(true) or ansible_os_family != "Debian" %} aio_interface: eth0 +{% else %} +# Required for Ubuntu cloud images +aio_interface: ens2 +{% endif %} # Route via the seed-hypervisor to the outside world. aio_gateway: 192.168.33.4 From cfea27a6116f41dcc813ec292cf10b2c43c943a2 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Mon, 29 Sep 2025 09:43:30 +0200 Subject: [PATCH 081/187] Configure tuned on Ubuntu The tuned package is available since Ubuntu Jammy. Change-Id: I17e95b27c0f51c92dfce30f7ad3dcdf1c98fc55e Signed-off-by: Pierre Riteau --- ansible/tuned.yml | 1 - doc/source/configuration/reference/hosts.rst | 2 -- .../tests/test_overcloud_host_configure.py | 2 -- releasenotes/notes/tuned-ubuntu-c25b484a19918ad9.yaml | 4 ++++ requirements.yml | 2 +- 5 files changed, 5 insertions(+), 6 deletions(-) create mode 100644 releasenotes/notes/tuned-ubuntu-c25b484a19918ad9.yaml diff --git a/ansible/tuned.yml b/ansible/tuned.yml index b538b2553..2bf4b2f55 100644 --- a/ansible/tuned.yml +++ b/ansible/tuned.yml @@ -13,4 +13,3 @@ become: true when: - tuned_active_builtin_profile != "" - - ansible_facts.os_family == 'RedHat' diff --git a/doc/source/configuration/reference/hosts.rst b/doc/source/configuration/reference/hosts.rst index edda6514a..4459f2161 100644 --- a/doc/source/configuration/reference/hosts.rst +++ b/doc/source/configuration/reference/hosts.rst @@ -690,8 +690,6 @@ Tuned *tags:* | ``tuned`` -.. note:: Tuned configuration only supports CentOS/Rocky systems for now. - Built-in ``tuned`` profiles can be applied to hosts. The following variables can be used to set a ``tuned`` profile to specific types of hosts: diff --git a/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py b/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py index 8dc5d1bae..f9fd61048 100644 --- a/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py +++ b/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py @@ -272,8 +272,6 @@ def test_dnf_automatic(host): assert host.service("dnf-automatic.timer").is_running -@pytest.mark.skipif(not _is_dnf(), - reason="tuned profiles only supported on CentOS/Rocky") def test_tuned_profile_is_active(host): tuned_output = host.check_output("tuned-adm active") assert "throughput-performance" in tuned_output diff --git a/releasenotes/notes/tuned-ubuntu-c25b484a19918ad9.yaml b/releasenotes/notes/tuned-ubuntu-c25b484a19918ad9.yaml new file mode 100644 index 000000000..cd66f2c0c --- /dev/null +++ b/releasenotes/notes/tuned-ubuntu-c25b484a19918ad9.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + Adds support for configuring ``tuned`` on Ubuntu hosts. diff --git a/requirements.yml b/requirements.yml index e3d4f1de9..c2376f617 100644 --- a/requirements.yml +++ b/requirements.yml @@ -22,7 +22,7 @@ roles: - src: ahuffman.resolv version: 1.3.1 - src: giovtorres.tuned - version: 1.1.1 + version: 1.2.0 - src: jriguera.configdrive # There are no versioned releases of this role. version: 313c9b0ff8cd8009471380ccd71b27b440ac6704 From 80782a43e0fecd74b4f5061b6f95a800f78949da Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Mon, 29 Sep 2025 14:49:37 +0200 Subject: [PATCH 082/187] CI: Add CentOS Stream/Rocky Linux 10 host configure jobs Change-Id: Ide4cfa11f4867cd9883e7f994443eb4c4849d1d7 Signed-off-by: Pierre Riteau --- .../overrides.yml.j2 | 7 +++++-- .../tests/test_overcloud_host_configure.py | 4 +++- zuul.d/jobs.yaml | 11 +++++++++++ zuul.d/nodesets.yaml | 12 ++++++++++++ zuul.d/project.yaml | 3 +++ 5 files changed, 34 insertions(+), 3 deletions(-) diff --git a/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 index 62b316e46..9e9424981 100644 --- a/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 +++ b/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 @@ -164,6 +164,8 @@ apt_auth: {% endif %} {% if ansible_facts.os_family == 'RedHat' %} +# NOTE: There are OpenDev mirrors only for centos-stream/9-stream and epel/9. +{% if ansible_facts.distribution_major_version == "9" %} # Use a local DNF mirror. dnf_use_local_mirror: true {% if ansible_facts.distribution == 'CentOS' %} @@ -176,11 +178,12 @@ dnf_centos_mirror_directory: 'centos-stream' dnf_epel_mirror_host: "{{ zuul_site_mirror_fqdn }}" # Mirror directory for DNF EPEL repos. dnf_epel_mirror_directory: 'epel' +{% endif %} # Configure a custom DNF repository. dnf_custom_repos: fluent-package: - baseurl: https://packages.treasuredata.com/lts/5/redhat/$releasever/$basearch - gpgkey: https://packages.treasuredata.com/GPG-KEY-td-agent + baseurl: https://fluentd.cdn.cncf.io/lts/6/redhat/$releasever/$basearch + gpgkey: https://fluentd.cdn.cncf.io/GPG-KEY-fluent-package gpgcheck: yes # Install EPEL local mirror. dnf_install_epel: true diff --git a/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py b/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py index f9fd61048..442e39f80 100644 --- a/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py +++ b/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py @@ -20,9 +20,11 @@ def _is_dnf(): return info in ['centos', 'rocky'] +# NOTE: There are OpenDev mirrors only for centos-stream/9-stream and epel/9. def _is_dnf_mirror(): info = distro.id() - return info == 'centos' + version = distro.version() + return info == 'centos' and version == '9' def _is_ubuntu_noble(): diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index dc34d160a..c306e7305 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -314,11 +314,22 @@ nodeset: kayobe-centos9s voting: false +- job: + name: kayobe-overcloud-host-configure-centos10s + parent: kayobe-overcloud-host-configure-base + nodeset: kayobe-centos10s + voting: false + - job: name: kayobe-overcloud-host-configure-rocky9 parent: kayobe-overcloud-host-configure-base nodeset: kayobe-rocky9 +- job: + name: kayobe-overcloud-host-configure-rocky10 + parent: kayobe-overcloud-host-configure-base + nodeset: kayobe-rocky10 + - job: name: kayobe-overcloud-host-configure-ubuntu-noble parent: kayobe-overcloud-host-configure-base diff --git a/zuul.d/nodesets.yaml b/zuul.d/nodesets.yaml index 3dd99d404..3db1e785c 100644 --- a/zuul.d/nodesets.yaml +++ b/zuul.d/nodesets.yaml @@ -5,12 +5,24 @@ - name: primary label: centos-9-stream +- nodeset: + name: kayobe-centos10s + nodes: + - name: primary + label: centos-10-stream-8GB + - nodeset: name: kayobe-rocky9 nodes: - name: primary label: rockylinux-9 +- nodeset: + name: kayobe-rocky10 + nodes: + - name: primary + label: rockylinux-10-8GB + - nodeset: name: kayobe-ubuntu-noble nodes: diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 3ac8dc589..83fcad370 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -15,6 +15,7 @@ - kayobe-overcloud-ubuntu-noble - kayobe-overcloud-ubuntu-noble-podman - kayobe-overcloud-host-configure-rocky9 + - kayobe-overcloud-host-configure-rocky10 - kayobe-overcloud-host-configure-ubuntu-noble - kayobe-overcloud-upgrade-ubuntu-noble - kayobe-seed-ubuntu-noble @@ -32,6 +33,7 @@ - kayobe-overcloud-ubuntu-noble - kayobe-overcloud-ubuntu-noble-podman - kayobe-overcloud-host-configure-rocky9 + - kayobe-overcloud-host-configure-rocky10 - kayobe-overcloud-host-configure-ubuntu-noble - kayobe-overcloud-upgrade-ubuntu-noble - kayobe-seed-ubuntu-noble @@ -49,6 +51,7 @@ - kayobe-infra-vm-ubuntu-noble-cloud-image - kayobe-overcloud-centos9s - kayobe-overcloud-host-configure-centos9s + - kayobe-overcloud-host-configure-centos10s - kayobe-overcloud-rocky9 - kayobe-overcloud-rocky9-podman - kayobe-overcloud-tls-rocky9 From f23cb602df6bade97b60979e75adf57c330bc79d Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Tue, 30 Sep 2025 11:51:14 +0200 Subject: [PATCH 083/187] Support CentOS Stream 10 and Rocky Linux 10 images This bumps the jriguera.configdrive role to the latest commit to support generating a configdrive with xorriso instead of genisoimage. Depends-On: https://review.opendev.org/c/openstack/kayobe-config-dev/+/962548 Change-Id: Ia2881915531a74414cda44b676167cf9360c55b7 Signed-off-by: Pierre Riteau --- ansible/inventory/group_vars/all/globals | 7 +- ansible/inventory/group_vars/all/infra-vms | 19 ++++-- ansible/inventory/group_vars/all/seed-vm | 17 ++++- ansible/roles/kolla-ansible/vars/RedHat.yml | 4 +- .../reference/os-distribution.rst | 8 +-- etc/kayobe/globals.yml | 7 +- etc/kayobe/infra-vms.yml | 11 +-- etc/kayobe/seed-vm.yml | 9 ++- .../infra-vms-group-vars.j2 | 4 +- .../kayobe-infra-vm-base/overrides.yml.j2 | 6 +- .../kayobe-seed-vm-base/overrides.yml.j2 | 16 ++--- .../kayobe-seed-vm-base/seed-group-vars.j2 | 4 +- requirements.yml | 2 +- zuul.d/jobs.yaml | 67 +++++++++++++++++++ zuul.d/project.yaml | 36 +++++++--- 15 files changed, 164 insertions(+), 53 deletions(-) diff --git a/ansible/inventory/group_vars/all/globals b/ansible/inventory/group_vars/all/globals index 5e50c513b..492307337 100644 --- a/ansible/inventory/group_vars/all/globals +++ b/ansible/inventory/group_vars/all/globals @@ -52,9 +52,10 @@ kayobe_ansible_user: "stack" # is "rocky". os_distribution: "rocky" -# OS release. Valid options are "9-stream" when os_distribution is "centos", or -# "9" when os_distribution is "rocky", or "noble" when os_distribution is -# "ubuntu". +# OS release. Valid options are "9-stream" and "10-stream" (with "9-stream" +# being the default) when os_distribution is "centos", "9" and "10" (with "9" +# being the default) when os_distribution is "rocky", or "noble" when +# os_distribution is "ubuntu". os_release: >- {{ '9-stream' if os_distribution == 'centos' else '9' if os_distribution == 'rocky' diff --git a/ansible/inventory/group_vars/all/infra-vms b/ansible/inventory/group_vars/all/infra-vms index 2105c5e3e..ea0527e3d 100644 --- a/ansible/inventory/group_vars/all/infra-vms +++ b/ansible/inventory/group_vars/all/infra-vms @@ -42,19 +42,30 @@ infra_vm_root_format: qcow2 # Base image for the infra VM root volume. Default is # "https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img" -# when os_distribution is "ubuntu", or -# https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2 -# when os_distribution is "rocky", -# or +# when os_distribution is "ubuntu", +# "https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2" +# when os_distribution is "rocky" and os_release is "9", +# "https://dl.rockylinux.org/pub/rocky/10/images/x86_64/Rocky-10-GenericCloud-Base.latest.x86_64.qcow2" +# when os_distribution is "rocky" and os_release is "10", # "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-9-latest.x86_64.qcow2" +# when os_distribution is "centos" and os_release is "9-stream", or +# "https://cloud.centos.org/centos/10-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-10-latest.x86_64.qcow2" # otherwise. infra_vm_root_image: >- {%- if os_distribution == 'ubuntu' %} https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img {%- elif os_distribution == 'rocky' %} + {%- if os_release == '9' %} https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2 {%- else -%} + https://dl.rockylinux.org/pub/rocky/10/images/x86_64/Rocky-10-GenericCloud-Base.latest.x86_64.qcow2 + {%- endif %} + {%- else -%} + {%- if os_release == '9-stream' %} https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-9-latest.x86_64.qcow2 + {%- else -%} + https://cloud.centos.org/centos/10-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-10-latest.x86_64.qcow2 + {%- endif %} {%- endif %} # Capacity of the infra VM data volume. diff --git a/ansible/inventory/group_vars/all/seed-vm b/ansible/inventory/group_vars/all/seed-vm index cc840f46e..4283c413e 100644 --- a/ansible/inventory/group_vars/all/seed-vm +++ b/ansible/inventory/group_vars/all/seed-vm @@ -43,18 +43,29 @@ seed_vm_root_format: qcow2 # Base image for the seed VM root volume. Default is # "https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img" # when os_distribution is "ubuntu", -# https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2 -# when os_distribution is "rocky", -# or +# "https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2" +# when os_distribution is "rocky" and os_release is "9", +# "https://dl.rockylinux.org/pub/rocky/10/images/x86_64/Rocky-10-GenericCloud-Base.latest.x86_64.qcow2" +# when os_distribution is "rocky" and os_release is "10", # "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-9-latest.x86_64.qcow2" +# when os_distribution is "centos" and os_release is "9-stream", or +# "https://cloud.centos.org/centos/10-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-10-latest.x86_64.qcow2" # otherwise. seed_vm_root_image: >- {%- if os_distribution == 'ubuntu' %} https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img {%- elif os_distribution == 'rocky' %} + {%- if os_release == '9' %} https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2 {%- else -%} + https://dl.rockylinux.org/pub/rocky/10/images/x86_64/Rocky-10-GenericCloud-Base.latest.x86_64.qcow2 + {%- endif %} + {%- else -%} + {%- if os_release == '9-stream' %} https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-9-latest.x86_64.qcow2 + {%- else -%} + https://cloud.centos.org/centos/10-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-10-latest.x86_64.qcow2 + {%- endif %} {%- endif %} # Capacity of the seed VM data volume. diff --git a/ansible/roles/kolla-ansible/vars/RedHat.yml b/ansible/roles/kolla-ansible/vars/RedHat.yml index 768efbfc0..008dcd0f5 100644 --- a/ansible/roles/kolla-ansible/vars/RedHat.yml +++ b/ansible/roles/kolla-ansible/vars/RedHat.yml @@ -5,6 +5,6 @@ kolla_ansible_package_dependencies: - git - libffi-devel - openssl-devel - - python3.12 - - python3.12-devel + - "{{ 'python3.12' if ansible_facts.distribution_major_version == '9' else 'python3' }}" + - "{{ 'python3.12-devel' if ansible_facts.distribution_major_version == '9' else 'python3-devel' }}" - rsync diff --git a/doc/source/configuration/reference/os-distribution.rst b/doc/source/configuration/reference/os-distribution.rst index 1a3bfb3b1..153f035b0 100644 --- a/doc/source/configuration/reference/os-distribution.rst +++ b/doc/source/configuration/reference/os-distribution.rst @@ -15,10 +15,10 @@ or ``rocky`` or ``ubuntu``, and defaults to ``rocky``. The ``os_release`` variable in ``etc/kayobe/globals.yml`` can be used to set the release of the OS. When ``os_distribution`` is set to ``centos`` it may be -set to ``9-stream``, and this is its default value. When ``os_distribution`` is -set to ``ubuntu`` it may be set to ``noble``, and this is its default value. -When ``os_distribution`` is set to ``rocky`` it may be set to ``9``, and this -is its default value. +set to ``9-stream`` or ``10-stream``, and ``9-stream`` is its default value. +When ``os_distribution`` is set to ``rocky`` it may be set to ``9`` or ``10``, +and ``9`` is its default value. When ``os_distribution`` is set to ``ubuntu`` +it may be set to ``noble``, and this is its default value. These variables are used to set various defaults, including: diff --git a/etc/kayobe/globals.yml b/etc/kayobe/globals.yml index ce4570f39..bb21aca71 100644 --- a/etc/kayobe/globals.yml +++ b/etc/kayobe/globals.yml @@ -48,9 +48,10 @@ # is "rocky". #os_distribution: -# OS release. Valid options are "9-stream" when os_distribution is "centos", or -# "9" when os_distribution is "rocky", or "noble" when os_distribution is -# "ubuntu". +# OS release. Valid options are "9-stream" and "10-stream" (with "9-stream" +# being the default) when os_distribution is "centos", "9" and "10" (with "9" +# being the default) when os_distribution is "rocky", or "noble" when +# os_distribution is "ubuntu". #os_release: ############################################################################### diff --git a/etc/kayobe/infra-vms.yml b/etc/kayobe/infra-vms.yml index abbd24e68..2b012b8e5 100644 --- a/etc/kayobe/infra-vms.yml +++ b/etc/kayobe/infra-vms.yml @@ -31,11 +31,14 @@ # Base image for the infra VM root volume. Default is # "https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img" -# when os_distribution is "ubuntu", or -# https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2 -# when os_distribution is "rocky", -# or +# when os_distribution is "ubuntu", +# "https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2" +# when os_distribution is "rocky" and os_release is "9", +# "https://dl.rockylinux.org/pub/rocky/10/images/x86_64/Rocky-10-GenericCloud-Base.latest.x86_64.qcow2" +# when os_distribution is "rocky" and os_release is "10", # "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-9-latest.x86_64.qcow2" +# when os_distribution is "centos" and os_release is "9-stream", or +# "https://cloud.centos.org/centos/10-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-10-latest.x86_64.qcow2" # otherwise. #infra_vm_root_image: diff --git a/etc/kayobe/seed-vm.yml b/etc/kayobe/seed-vm.yml index e7d0ac0a9..1a575a10b 100644 --- a/etc/kayobe/seed-vm.yml +++ b/etc/kayobe/seed-vm.yml @@ -32,10 +32,13 @@ # Base image for the seed VM root volume. Default is # "https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img" # when os_distribution is "ubuntu", -# https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2 -# when os_distribution is "rocky", -# or +# "https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2" +# when os_distribution is "rocky" and os_release is "9", +# "https://dl.rockylinux.org/pub/rocky/10/images/x86_64/Rocky-10-GenericCloud-Base.latest.x86_64.qcow2" +# when os_distribution is "rocky" and os_release is "10", # "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-9-latest.x86_64.qcow2" +# when os_distribution is "centos" and os_release is "9-stream", or +# "https://cloud.centos.org/centos/10-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-10-latest.x86_64.qcow2" # otherwise. #seed_vm_root_image: diff --git a/playbooks/kayobe-infra-vm-base/infra-vms-group-vars.j2 b/playbooks/kayobe-infra-vm-base/infra-vms-group-vars.j2 index 94652b8d9..9ce8d7318 100644 --- a/playbooks/kayobe-infra-vm-base/infra-vms-group-vars.j2 +++ b/playbooks/kayobe-infra-vm-base/infra-vms-group-vars.j2 @@ -1,8 +1,8 @@ --- -{% if infra_vm_use_cirros | default(true) or ansible_os_family != "Debian" %} +{% if infra_vm_use_cirros | default(true) or ansible_os_family == 'RedHat' and ansible_distribution_major_version == '9' %} aio_interface: eth0 {% else %} -# Required for Ubuntu cloud images +# Required for official cloud images (CentOS Stream 10, Rocky Linux 10, Ubuntu) aio_interface: ens2 {% endif %} diff --git a/playbooks/kayobe-infra-vm-base/overrides.yml.j2 b/playbooks/kayobe-infra-vm-base/overrides.yml.j2 index 4aba07951..c6d5cc075 100644 --- a/playbooks/kayobe-infra-vm-base/overrides.yml.j2 +++ b/playbooks/kayobe-infra-vm-base/overrides.yml.j2 @@ -35,9 +35,6 @@ infra_vm_memory_mb: "{{ 1 * 1024 }}" # Use cirros rather than distribution cloud image for the VM. infra_vm_bootstrap_user: cirros infra_vm_root_image: /opt/cache/files/cirros-0.5.3-x86_64-disk.img -{% else %} -infra_vm_provision_timeout: 600 -{% endif %} # Cirros doesn't load cdom drivers by default. vm_configdrive_device: disk @@ -46,6 +43,9 @@ vm_configdrive_device: disk # /etc/network/interfaces. configdrive_os_family: Debian configdrive_debian_network_interfaces_supports_glob: false +{% else %} +infra_vm_provision_timeout: 600 +{% endif %} # NOTE(mgoddard): CentOS 8 removes interfaces from their bridge during ifdown, # and removes the bridge if there are no interfaces left. When Kayobe bounces diff --git a/playbooks/kayobe-seed-vm-base/overrides.yml.j2 b/playbooks/kayobe-seed-vm-base/overrides.yml.j2 index 8600588a9..83be19105 100644 --- a/playbooks/kayobe-seed-vm-base/overrides.yml.j2 +++ b/playbooks/kayobe-seed-vm-base/overrides.yml.j2 @@ -38,6 +38,14 @@ seed_vm_memory_mb: "{{ 1 * 1024 }}" # Use cirros rather than distribution cloud image for the VM. seed_bootstrap_user: cirros seed_vm_root_image: /opt/cache/files/cirros-0.5.3-x86_64-disk.img + +# Cirros doesn't load cdom drivers by default. +seed_vm_configdrive_device: disk + +# Cirros is Debian family, but doesn't support path globs in +# /etc/network/interfaces. +configdrive_os_family: Debian +configdrive_debian_network_interfaces_supports_glob: false {% else %} seed_vm_provision_timeout: 600 {% endif %} @@ -49,14 +57,6 @@ seed_vm_boot_firmware: "{{ seed_vm_boot_firmware }}" seed_vm_machine: "{{ seed_vm_machine }}" {% endif %} -# Cirros doesn't load cdom drivers by default. -seed_vm_configdrive_device: disk - -# Cirros is Debian family, but doesn't support path globs in -# /etc/network/interfaces. -configdrive_os_family: Debian -configdrive_debian_network_interfaces_supports_glob: false - # NOTE(mgoddard): CentOS 8 removes interfaces from their bridge during ifdown, # and removes the bridge if there are no interfaces left. When Kayobe bounces # veth links plugged into the bridge, it causes the bridge which has the IP we diff --git a/playbooks/kayobe-seed-vm-base/seed-group-vars.j2 b/playbooks/kayobe-seed-vm-base/seed-group-vars.j2 index 64c65450e..757d3686f 100644 --- a/playbooks/kayobe-seed-vm-base/seed-group-vars.j2 +++ b/playbooks/kayobe-seed-vm-base/seed-group-vars.j2 @@ -1,8 +1,8 @@ --- -{% if seed_vm_use_cirros | default(true) or ansible_os_family != "Debian" %} +{% if seed_vm_use_cirros | default(true) or ansible_os_family == 'RedHat' and ansible_distribution_major_version == '9' %} aio_interface: eth0 {% else %} -# Required for Ubuntu cloud images +# Required for official cloud images (CentOS Stream 10, Rocky Linux 10, Ubuntu) aio_interface: ens2 {% endif %} diff --git a/requirements.yml b/requirements.yml index c2376f617..4ad3203dc 100644 --- a/requirements.yml +++ b/requirements.yml @@ -25,7 +25,7 @@ roles: version: 1.2.0 - src: jriguera.configdrive # There are no versioned releases of this role. - version: 313c9b0ff8cd8009471380ccd71b27b440ac6704 + version: 71ddface5540ee0ff9e35bcc4334c766ed5d5d3f - src: MichaelRigart.interfaces version: v1.15.6 - src: mrlesmithjr.chrony diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index c306e7305..28429bffb 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -385,11 +385,22 @@ nodeset: kayobe-centos9s voting: false +- job: + name: kayobe-seed-vm-centos10s + parent: kayobe-seed-vm-base + nodeset: kayobe-centos10s + voting: false + - job: name: kayobe-seed-vm-rocky9 parent: kayobe-seed-vm-base nodeset: kayobe-rocky9 +- job: + name: kayobe-seed-vm-rocky10 + parent: kayobe-seed-vm-base + nodeset: kayobe-rocky10 + - job: name: kayobe-seed-vm-ubuntu-noble parent: kayobe-seed-vm-base @@ -405,6 +416,14 @@ vars: seed_vm_use_cirros: false +- job: + name: kayobe-seed-vm-centos10s-cloud-image + parent: kayobe-seed-vm-base + nodeset: kayobe-centos10s + voting: false + vars: + seed_vm_use_cirros: false + - job: name: kayobe-seed-vm-rocky9-cloud-image parent: kayobe-seed-vm-base @@ -412,6 +431,13 @@ vars: seed_vm_use_cirros: false +- job: + name: kayobe-seed-vm-rocky10-cloud-image + parent: kayobe-seed-vm-base + nodeset: kayobe-rocky10 + vars: + seed_vm_use_cirros: false + - job: name: kayobe-seed-vm-ubuntu-noble-cloud-image parent: kayobe-seed-vm-base @@ -434,6 +460,12 @@ nodeset: kayobe-centos9s voting: false +- job: + name: kayobe-seed-vm-centos10s-q35 + parent: kayobe-seed-vm-q35-base + nodeset: kayobe-centos10s + voting: false + - job: name: kayobe-seed-vm-rocky9-q35 parent: kayobe-seed-vm-q35-base @@ -441,6 +473,13 @@ vars: kayobe_control_host_become: false +- job: + name: kayobe-seed-vm-rocky10-q35 + parent: kayobe-seed-vm-q35-base + nodeset: kayobe-rocky10 + vars: + kayobe_control_host_become: false + - job: name: kayobe-seed-vm-ubuntu-noble-q35 parent: kayobe-seed-vm-q35-base @@ -464,6 +503,12 @@ nodeset: kayobe-centos9s voting: false +- job: + name: kayobe-infra-vm-centos10s + parent: kayobe-infra-vm-base + nodeset: kayobe-centos10s + voting: false + - job: name: kayobe-infra-vm-rocky9 parent: kayobe-infra-vm-base @@ -471,6 +516,13 @@ vars: kayobe_control_host_become: false +- job: + name: kayobe-infra-vm-rocky10 + parent: kayobe-infra-vm-base + nodeset: kayobe-rocky10 + vars: + kayobe_control_host_become: false + - job: name: kayobe-infra-vm-ubuntu-noble parent: kayobe-infra-vm-base @@ -484,6 +536,14 @@ vars: infra_vm_use_cirros: false +- job: + name: kayobe-infra-vm-centos10s-cloud-image + parent: kayobe-infra-vm-base + nodeset: kayobe-centos10s + voting: false + vars: + infra_vm_use_cirros: false + - job: name: kayobe-infra-vm-rocky9-cloud-image parent: kayobe-infra-vm-base @@ -491,6 +551,13 @@ vars: infra_vm_use_cirros: false +- job: + name: kayobe-infra-vm-rocky10-cloud-image + parent: kayobe-infra-vm-base + nodeset: kayobe-rocky10 + vars: + infra_vm_use_cirros: false + - job: name: kayobe-infra-vm-ubuntu-noble-cloud-image parent: kayobe-infra-vm-base diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 83fcad370..ad4bbd35a 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -12,46 +12,54 @@ - kayobe-tox-ansible-syntax - kayobe-tox-ansible - kayobe-tox-molecule - - kayobe-overcloud-ubuntu-noble - - kayobe-overcloud-ubuntu-noble-podman - - kayobe-overcloud-host-configure-rocky9 + - kayobe-infra-vm-rocky10 + - kayobe-infra-vm-rocky9 + - kayobe-infra-vm-ubuntu-noble - kayobe-overcloud-host-configure-rocky10 + - kayobe-overcloud-host-configure-rocky9 - kayobe-overcloud-host-configure-ubuntu-noble + - kayobe-overcloud-ubuntu-noble + - kayobe-overcloud-ubuntu-noble-podman - kayobe-overcloud-upgrade-ubuntu-noble - kayobe-seed-ubuntu-noble - kayobe-seed-ubuntu-noble-podman - kayobe-seed-upgrade-ubuntu-noble + - kayobe-seed-vm-rocky10 - kayobe-seed-vm-rocky9 - kayobe-seed-vm-ubuntu-noble - - kayobe-infra-vm-rocky9 - - kayobe-infra-vm-ubuntu-noble gate: jobs: - kayobe-tox-ansible-syntax - kayobe-tox-ansible - kayobe-tox-molecule - - kayobe-overcloud-ubuntu-noble - - kayobe-overcloud-ubuntu-noble-podman - - kayobe-overcloud-host-configure-rocky9 + - kayobe-infra-vm-rocky10 + - kayobe-infra-vm-rocky9 + - kayobe-infra-vm-ubuntu-noble - kayobe-overcloud-host-configure-rocky10 + - kayobe-overcloud-host-configure-rocky9 - kayobe-overcloud-host-configure-ubuntu-noble + - kayobe-overcloud-ubuntu-noble + - kayobe-overcloud-ubuntu-noble-podman - kayobe-overcloud-upgrade-ubuntu-noble - kayobe-seed-ubuntu-noble - kayobe-seed-ubuntu-noble-podman - kayobe-seed-upgrade-ubuntu-noble + - kayobe-seed-vm-rocky10 - kayobe-seed-vm-rocky9 - kayobe-seed-vm-ubuntu-noble - - kayobe-infra-vm-rocky9 - - kayobe-infra-vm-ubuntu-noble experimental: jobs: + - kayobe-infra-vm-centos10s + - kayobe-infra-vm-centos10s-cloud-image + - kayobe-infra-vm-centos9s - kayobe-infra-vm-centos9s-cloud-image + - kayobe-infra-vm-rocky10-cloud-image - kayobe-infra-vm-rocky9-cloud-image - kayobe-infra-vm-ubuntu-noble-cloud-image - kayobe-overcloud-centos9s - - kayobe-overcloud-host-configure-centos9s - kayobe-overcloud-host-configure-centos10s + - kayobe-overcloud-host-configure-centos9s - kayobe-overcloud-rocky9 - kayobe-overcloud-rocky9-podman - kayobe-overcloud-tls-rocky9 @@ -64,8 +72,14 @@ - kayobe-seed-rocky9 - kayobe-seed-rocky9-podman - kayobe-seed-upgrade-rocky9 + - kayobe-seed-vm-centos10s + - kayobe-seed-vm-centos10s-cloud-image + - kayobe-seed-vm-centos10s-q35 + - kayobe-seed-vm-centos9s - kayobe-seed-vm-centos9s-cloud-image - kayobe-seed-vm-centos9s-q35 + - kayobe-seed-vm-rocky10-cloud-image + - kayobe-seed-vm-rocky10-q35 - kayobe-seed-vm-rocky9-cloud-image - kayobe-seed-vm-rocky9-q35 - kayobe-seed-vm-ubuntu-noble-cloud-image From 5bffc12c085aa6f0468fc3a61e414af44a60df73 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 3 Oct 2025 15:50:32 +0200 Subject: [PATCH 084/187] Bump Ceph package repository to Squid This repository is only configured when using host libvirt. Change-Id: I38c6c1ef60d023633d4cd02884694392ce84325a Signed-off-by: Pierre Riteau --- ansible/inventory/group_vars/all/compute | 4 ++-- doc/source/configuration/reference/hosts.rst | 2 +- etc/kayobe/compute.yml | 2 +- .../notes/host-libvirt-ceph-squid-6c835edd7ac422c8.yaml | 5 +++++ 4 files changed, 9 insertions(+), 4 deletions(-) create mode 100644 releasenotes/notes/host-libvirt-ceph-squid-6c835edd7ac422c8.yaml diff --git a/ansible/inventory/group_vars/all/compute b/ansible/inventory/group_vars/all/compute index 30878e069..1803098cc 100644 --- a/ansible/inventory/group_vars/all/compute +++ b/ansible/inventory/group_vars/all/compute @@ -240,8 +240,8 @@ compute_libvirt_enable_tls: false compute_libvirt_ceph_repo_install: true # Ceph package repository release to install on CentOS and Rocky hosts when -# compute_libvirt_ceph_repo_install is true. Default is 'pacific'. -compute_libvirt_ceph_repo_release: pacific +# compute_libvirt_ceph_repo_install is true. Default is 'squid'. +compute_libvirt_ceph_repo_release: squid ############################################################################### # Compute node swap configuration. diff --git a/doc/source/configuration/reference/hosts.rst b/doc/source/configuration/reference/hosts.rst index 4459f2161..694878339 100644 --- a/doc/source/configuration/reference/hosts.rst +++ b/doc/source/configuration/reference/hosts.rst @@ -1238,7 +1238,7 @@ are relevant only when using the libvirt daemon rather than the Default is ``true``. ``compute_libvirt_ceph_repo_release`` Ceph package repository release to install on CentOS and Rocky hosts when - ``compute_libvirt_ceph_repo_install`` is ``true``. Default is ``pacific``. + ``compute_libvirt_ceph_repo_install`` is ``true``. Default is ``squid``. Example: custom libvirtd.conf ----------------------------- diff --git a/etc/kayobe/compute.yml b/etc/kayobe/compute.yml index f27522349..383abd16f 100644 --- a/etc/kayobe/compute.yml +++ b/etc/kayobe/compute.yml @@ -209,7 +209,7 @@ #compute_libvirt_ceph_repo_install: # Ceph package repository release to install on CentOS and Rocky hosts when -# compute_libvirt_ceph_repo_install is true. Default is 'pacific'. +# compute_libvirt_ceph_repo_install is true. Default is 'squid'. #compute_libvirt_ceph_repo_release: ############################################################################### diff --git a/releasenotes/notes/host-libvirt-ceph-squid-6c835edd7ac422c8.yaml b/releasenotes/notes/host-libvirt-ceph-squid-6c835edd7ac422c8.yaml new file mode 100644 index 000000000..afb2a819a --- /dev/null +++ b/releasenotes/notes/host-libvirt-ceph-squid-6c835edd7ac422c8.yaml @@ -0,0 +1,5 @@ +--- +upgrade: + - | + Bumps Ceph package repository to Squid. This repository is only configured + when using host libvirt. From d48d3b2a7122f02c09707f0bdf4ca30d795c6eae Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 10 Oct 2025 11:09:06 +0200 Subject: [PATCH 085/187] Bump stackhpc.libvirt-host to v1.14.0 This adds support for centos/rocky 10. Change-Id: Id9d874024279a8e26561aca0e485c310de38b434 Signed-off-by: Pierre Riteau --- .../notes/stackhpc-libvirt-host-el10-0250bdabad776c65.yaml | 5 +++++ requirements.yml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/stackhpc-libvirt-host-el10-0250bdabad776c65.yaml diff --git a/releasenotes/notes/stackhpc-libvirt-host-el10-0250bdabad776c65.yaml b/releasenotes/notes/stackhpc-libvirt-host-el10-0250bdabad776c65.yaml new file mode 100644 index 000000000..646925cfc --- /dev/null +++ b/releasenotes/notes/stackhpc-libvirt-host-el10-0250bdabad776c65.yaml @@ -0,0 +1,5 @@ +--- +upgrade: + - | + Bumps the ``stackhpc.libvirt-host`` role to v1.14.0 which fixes + compatibility with CentOS Stream 10 and Rocky Linux 10. diff --git a/requirements.yml b/requirements.yml index 4ad3203dc..ef419f34d 100644 --- a/requirements.yml +++ b/requirements.yml @@ -41,7 +41,7 @@ roles: - src: stackhpc.drac-facts version: 1.0.0 - src: stackhpc.libvirt-host - version: v1.12.1 + version: v1.14.0 - src: stackhpc.libvirt-vm version: v1.16.3 - src: stackhpc.luks From cdfb2ec46d2603c0e99ff208f45a42d78f64089c Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Fri, 5 Sep 2025 13:00:38 +0000 Subject: [PATCH 086/187] Remove inspection store This is not used by the built-in inspector and support for deploying the standalone inspector has been removed[1]. [1] https://review.opendev.org/c/openstack/kolla-ansible/+/951864 Change-Id: I2c2872d1ae6a15afece4a46b9ff7cfe77f073f45 Signed-off-by: Will Szumski --- ansible/inspection-store.yml | 18 ------- ansible/inventory/group_vars/all/inspector | 10 ---- ansible/kolla-openstack.yml | 6 --- ansible/overcloud-extras.yml | 1 - ansible/roles/inspection-store/README.md | 40 --------------- .../roles/inspection-store/defaults/main.yml | 39 --------------- .../roles/inspection-store/handlers/main.yml | 21 -------- .../roles/inspection-store/tasks/config.yml | 18 ------- .../roles/inspection-store/tasks/deploy.yml | 3 -- .../roles/inspection-store/tasks/destroy.yml | 22 -------- ansible/roles/inspection-store/tasks/main.yml | 2 - ansible/roles/inspection-store/tasks/pull.yml | 11 ---- .../inspection-store/tasks/reconfigure.yml | 2 - .../roles/inspection-store/tasks/start.yml | 18 ------- ansible/roles/inspection-store/tasks/stop.yml | 10 ---- .../roles/inspection-store/tasks/upgrade.yml | 3 -- .../inspection-store/templates/nginx.conf | 40 --------------- .../kolla/config/ironic-inspector.conf | 50 ------------------- etc/kayobe/inspector.yml | 11 ---- ...ves-inspection-store-7d969c6200787282.yaml | 12 +++++ 20 files changed, 12 insertions(+), 325 deletions(-) delete mode 100644 ansible/inspection-store.yml delete mode 100644 ansible/roles/inspection-store/README.md delete mode 100644 ansible/roles/inspection-store/defaults/main.yml delete mode 100644 ansible/roles/inspection-store/handlers/main.yml delete mode 100644 ansible/roles/inspection-store/tasks/config.yml delete mode 100644 ansible/roles/inspection-store/tasks/deploy.yml delete mode 100644 ansible/roles/inspection-store/tasks/destroy.yml delete mode 100644 ansible/roles/inspection-store/tasks/main.yml delete mode 100644 ansible/roles/inspection-store/tasks/pull.yml delete mode 100644 ansible/roles/inspection-store/tasks/reconfigure.yml delete mode 100644 ansible/roles/inspection-store/tasks/start.yml delete mode 100644 ansible/roles/inspection-store/tasks/stop.yml delete mode 100644 ansible/roles/inspection-store/tasks/upgrade.yml delete mode 100644 ansible/roles/inspection-store/templates/nginx.conf delete mode 100644 ansible/roles/kolla-openstack/templates/kolla/config/ironic-inspector.conf create mode 100644 releasenotes/notes/removes-inspection-store-7d969c6200787282.yaml diff --git a/ansible/inspection-store.yml b/ansible/inspection-store.yml deleted file mode 100644 index d33968e6c..000000000 --- a/ansible/inspection-store.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -# Deploy/pull/reconfigure/stop/upgrade inspection data store. -# -# Follows kolla-ansible service deployment patterns. -# -# Variables: -# action: One of deploy, destroy, pull, reconfigure, upgrade - -- name: Ensure inspection store is deployed - hosts: controllers[0] - tags: - - inspection-store - roles: - - role: inspection-store - inspection_store_action: "{{ kayobe_action }}" - inspection_store_enabled: "{{ inspector_store_enabled }}" - inspection_store_port: "{{ inspector_store_port }}" - inspection_store_config_path: "{{ config_path }}/inspection-store" diff --git a/ansible/inventory/group_vars/all/inspector b/ansible/inventory/group_vars/all/inspector index bdf3df568..4497d39eb 100644 --- a/ansible/inventory/group_vars/all/inspector +++ b/ansible/inventory/group_vars/all/inspector @@ -395,13 +395,3 @@ inspector_rules: "{{ inspector_rules_default + inspector_rules_extra + (inspecto # applied. inspector_dell_switch_lldp_workaround_group: -############################################################################### -# Inspection store configuration. -# The inspection store provides a Swift-like service for storing inspection -# data which may be useful in environments without Swift. - -# Whether the inspection data store is enabled. -inspector_store_enabled: "{{ kolla_enable_ironic_inspector | bool and not kolla_enable_swift | bool }}" - -# Port on which the inspection data store should listen. -inspector_store_port: 8080 diff --git a/ansible/kolla-openstack.yml b/ansible/kolla-openstack.yml index c7b9d56a7..bb116330d 100644 --- a/ansible/kolla-openstack.yml +++ b/ansible/kolla-openstack.yml @@ -136,12 +136,6 @@ kolla_inspector_keep_ports: "{{ inspector_keep_ports }}" kolla_inspector_enable_discovery: "{{ inspector_enable_discovery }}" kolla_inspector_discovery_enroll_node_driver: "{{ inspector_discovery_enroll_node_driver }}" - # Ironic inspector swift store configuration. Currently only supports the - # 'fake' inspection store. - kolla_inspector_enable_swift: "{{ inspector_store_enabled }}" - kolla_inspector_swift_auth: - auth_type: none - endpoint_override: "http://{% raw %}{{ api_interface_address }}{% endraw %}:{{ inspector_store_port }}" kolla_inspector_ipa_host: "{{ groups['controllers_with_ironic_enabled_True'][0] }}" kolla_openstack_custom_config_paths_extra_multi_env_static: - "{{ kayobe_config_path }}" diff --git a/ansible/overcloud-extras.yml b/ansible/overcloud-extras.yml index ad16dc86b..0a5d4fa4e 100644 --- a/ansible/overcloud-extras.yml +++ b/ansible/overcloud-extras.yml @@ -8,5 +8,4 @@ # action: One of deploy, destroy, pull, reconfigure, upgrade - import_playbook: docker-registry.yml -- import_playbook: inspection-store.yml - import_playbook: opensm.yml diff --git a/ansible/roles/inspection-store/README.md b/ansible/roles/inspection-store/README.md deleted file mode 100644 index 4c9fb18e8..000000000 --- a/ansible/roles/inspection-store/README.md +++ /dev/null @@ -1,40 +0,0 @@ -Inspection Store -================ - -Ironic inspector can make use of Swift to store introspection data. Not all -OpenStack deployments feature Swift, so it may be useful to provide a minimal -HTTP interface that emulates Swift for storing ironic inspector's introspection -data. This role deploys such an interface using nginx. Note that no -authentication mechanism is provided. - -Requirements ------------- - -The host executing the role has the following requirements: - -* Docker engine -* Python ``docker >= 2.0.0`` - -Role Variables --------------- - -Dependencies ------------- - -None - -Example Playbook ----------------- - -The following playbook deploys an inspection store. - - --- - - hosts: all - - roles: - - role: inspection-store - -Author Information ------------------- - -- Mark Goddard () diff --git a/ansible/roles/inspection-store/defaults/main.yml b/ansible/roles/inspection-store/defaults/main.yml deleted file mode 100644 index 7d1997d53..000000000 --- a/ansible/roles/inspection-store/defaults/main.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -# Roughly follows kolla-ansible's service deployment patterns. - -# Action to perform. One of 'deploy', 'destroy', 'pull', 'reconfigure', -# 'stop', 'upgrade'. -inspection_store_action: deploy - -# Whether an inspection store is enabled. -inspection_store_enabled: true - -# Service deployment definition. -inspection_store_services: - inspection_store: - container_name: inspection_store - enabled: "{{ inspection_store_enabled }}" - image: "{{ inspection_store_image_full }}" - network_mode: host - volumes: - - "/etc/localtime:/etc/localtime:ro" - - "{{ inspection_store_config_path }}/nginx.conf:/etc/nginx/nginx.conf:ro" - - "inspection_store:/data" - -# The port on which the inspection store server should listen. -inspection_store_port: 8080 - -# Path in which to store inspection store server configuration. -inspection_store_config_path: "/etc/inspection-store" - -#################### -# Inspection Store -#################### -inspection_store_namespace: "library" -inspection_store: docker.io -inspection_store_image: "{{ inspection_store ~ '/' if inspection_store | default else '' }}{{ inspection_store_namespace ~ '/' if inspection_store_namespace else '' }}nginx" -inspection_store_tag: "stable" -inspection_store_image_full: "{{ inspection_store_image }}:{{ inspection_store_tag }}" - -inspection_store_restart_policy: "unless-stopped" -#inspection_store_restart_retries: diff --git a/ansible/roles/inspection-store/handlers/main.yml b/ansible/roles/inspection-store/handlers/main.yml deleted file mode 100644 index a75eed5c9..000000000 --- a/ansible/roles/inspection-store/handlers/main.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -- name: Restart inspection store container - kayobe_container: - name: "{{ item.value.container_name }}" - state: started - restart: True - # NOTE: The image argument shouldn't be required, but without it this - # handler fails on Ansible 2.3. Related bug: - # https://github.com/ansible/ansible/issues/21188. - image: "{{ item.value.image }}" - with_dict: "{{ inspection_store_services }}" - when: item.value.enabled - become: "{{ container_engine == 'podman' }}" - -- name: Ensure inspection store data directory exists - command: > - {{ container_engine }} exec {{ inspection_store_services.inspection_store.container_name }} - bash -c "mkdir -p /data/ironic-inspector && - chown nginx:nginx /data/ironic-inspector" - when: inspection_store_services.inspection_store.enabled - become: "{{ container_engine == 'podman' }}" diff --git a/ansible/roles/inspection-store/tasks/config.yml b/ansible/roles/inspection-store/tasks/config.yml deleted file mode 100644 index e798f0214..000000000 --- a/ansible/roles/inspection-store/tasks/config.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -- name: Ensure inspection store configuration path exists - file: - path: "{{ inspection_store_config_path }}" - state: directory - owner: "{{ ansible_facts.user_uid }}" - group: "{{ ansible_facts.user_gid }}" - mode: 0750 - become: True - -- name: Ensure inspection store server is configured - template: - src: nginx.conf - dest: "{{ inspection_store_config_path }}/nginx.conf" - become: True - notify: - - Restart inspection store container - - Ensure inspection store data directory exists diff --git a/ansible/roles/inspection-store/tasks/deploy.yml b/ansible/roles/inspection-store/tasks/deploy.yml deleted file mode 100644 index d1f8db5d8..000000000 --- a/ansible/roles/inspection-store/tasks/deploy.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- include_tasks: config.yml -- include_tasks: start.yml diff --git a/ansible/roles/inspection-store/tasks/destroy.yml b/ansible/roles/inspection-store/tasks/destroy.yml deleted file mode 100644 index a311bf3e1..000000000 --- a/ansible/roles/inspection-store/tasks/destroy.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- -- name: Ensure inspection store container is stopped - kayobe_container: - name: "{{ item.value.container_name }}" - state: "absent" - with_dict: "{{ inspection_store_services }}" - become: "{{ container_engine == 'podman' }}" - -- name: Ensure inspection store volumes are absent - kayobe_container_volume: - name: "{{ volume }}" - state: absent - with_subelements: - - "{{ inspection_store_services }}" - - volumes - when: "'/' not in volume" - failed_when: - - volume_result.rc != 0 - - "'no such volume' not in volume_result.stderr | lower" - vars: - volume: "{{ item.1.split(':')[0] }}" - become: "{{ container_engine == 'podman' }}" diff --git a/ansible/roles/inspection-store/tasks/main.yml b/ansible/roles/inspection-store/tasks/main.yml deleted file mode 100644 index 23541719d..000000000 --- a/ansible/roles/inspection-store/tasks/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -- include_tasks: "{{ inspection_store_action }}.yml" diff --git a/ansible/roles/inspection-store/tasks/pull.yml b/ansible/roles/inspection-store/tasks/pull.yml deleted file mode 100644 index 88068c305..000000000 --- a/ansible/roles/inspection-store/tasks/pull.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -- name: Pulling inspection store container image - kayobe_container_image: - name: "{{ item.value.image }}" - source: pull - state: present - with_dict: "{{ inspection_store_services }}" - when: - - item.value.enabled - - inspection_store_action != 'destroy' - become: "{{ container_engine == 'podman' }}" diff --git a/ansible/roles/inspection-store/tasks/reconfigure.yml b/ansible/roles/inspection-store/tasks/reconfigure.yml deleted file mode 100644 index f670a5b78..000000000 --- a/ansible/roles/inspection-store/tasks/reconfigure.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -- include_tasks: deploy.yml diff --git a/ansible/roles/inspection-store/tasks/start.yml b/ansible/roles/inspection-store/tasks/start.yml deleted file mode 100644 index a2735af38..000000000 --- a/ansible/roles/inspection-store/tasks/start.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -- name: Ensure inspection store container is running - kayobe_container: - image: "{{ item.value.image }}" - name: "{{ item.value.container_name }}" - ports: "{{ item.value.ports | default(omit) }}" - privileged: "{{ item.value.privileged | default(omit) }}" - read_only: "{{ item.value.read_only | default(omit) }}" - restart_policy: "{{ inspection_store_restart_policy }}" - restart_retries: "{{ inspection_store_restart_retries | default(omit) }}" - state: started - volumes: "{{ item.value.volumes }}" - network_mode: "{{ item.value.network_mode | default(omit) }}" - with_dict: "{{ inspection_store_services }}" - notify: - - Ensure inspection store data directory exists - become: "{{ container_engine == 'podman' }}" - when: item.value.enabled | bool diff --git a/ansible/roles/inspection-store/tasks/stop.yml b/ansible/roles/inspection-store/tasks/stop.yml deleted file mode 100644 index d01750c21..000000000 --- a/ansible/roles/inspection-store/tasks/stop.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- name: Ensure inspection store container is stopped - kayobe_container: - image: "{{ item.value.image }}" - name: "{{ item.value.container_name }}" - state: "stopped" - with_dict: "{{ inspection_store_services }}" - when: - - item.value.enabled | bool - become: "{{ container_engine == 'podman' }}" diff --git a/ansible/roles/inspection-store/tasks/upgrade.yml b/ansible/roles/inspection-store/tasks/upgrade.yml deleted file mode 100644 index 99348ae91..000000000 --- a/ansible/roles/inspection-store/tasks/upgrade.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- include_tasks: pull.yml -- include_tasks: deploy.yml diff --git a/ansible/roles/inspection-store/templates/nginx.conf b/ansible/roles/inspection-store/templates/nginx.conf deleted file mode 100644 index cea01e58d..000000000 --- a/ansible/roles/inspection-store/templates/nginx.conf +++ /dev/null @@ -1,40 +0,0 @@ -user nginx; -worker_processes 1; - -error_log /var/log/nginx/error.log warn; -pid /var/run/nginx.pid; - - -events { - worker_connections 1024; -} - - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - #tcp_nopush on; - - keepalive_timeout 65; - - #gzip on; - - server { - listen {{ inspection_store_port }}; - root /data; - location /ironic-inspector { - return 200 ""; - } - location /ironic-inspector/ { - dav_methods PUT DELETE; - } - } -} diff --git a/ansible/roles/kolla-openstack/templates/kolla/config/ironic-inspector.conf b/ansible/roles/kolla-openstack/templates/kolla/config/ironic-inspector.conf deleted file mode 100644 index d085c2bec..000000000 --- a/ansible/roles/kolla-openstack/templates/kolla/config/ironic-inspector.conf +++ /dev/null @@ -1,50 +0,0 @@ -[DEFAULT] - -[processing] -{% if kolla_inspector_processing_hooks %} -# Comma-separated list of inspector processing plugins. -processing_hooks = {{ kolla_inspector_processing_hooks | join(',') }} -{% endif %} - -{% if kolla_inspector_add_ports %} -# Which MAC addresses to add as ports during introspection. One of 'all', -# 'active' or 'pxe'. -add_ports = {{ kolla_inspector_add_ports }} -{% endif %} - -{% if kolla_inspector_keep_ports %} -keep_ports = {{ kolla_inspector_keep_ports }} -{% endif %} - -# Store logs returned by the inspection ramdisk. -always_store_ramdisk_logs = True - -{% if kolla_inspector_enable_discovery %} -# Enable discovery when nodes do not exist in Ironic. -node_not_found_hook = enroll -{% endif %} - -{% if kolla_inspector_enable_swift %} -store_data = swift -{% endif %} - -{% if kolla_inspector_enable_swift %} -[swift] -{% for key, value in kolla_inspector_swift_auth.items() %} -{{ key }} = {{ value }} -{% endfor %} -{% endif %} - -{% if kolla_inspector_enable_discovery %} -[discovery] -# The driver with which to enroll newly discovered nodes in Ironic. -enroll_node_driver = {{ kolla_inspector_discovery_enroll_node_driver }} -{% endif %} - -{% if kolla_extra_inspector %} -####################### -# Extra configuration -####################### - -{{ kolla_extra_inspector }} -{% endif %} diff --git a/etc/kayobe/inspector.yml b/etc/kayobe/inspector.yml index 123481a5f..713751dfc 100644 --- a/etc/kayobe/inspector.yml +++ b/etc/kayobe/inspector.yml @@ -143,17 +143,6 @@ # applied. #inspector_dell_switch_lldp_workaround_group: -############################################################################### -# Inspection store configuration. -# The inspection store provides a Swift-like service for storing inspection -# data which may be useful in environments without Swift. - -# Whether the inspection data store is enabled. -#inspector_store_enabled: - -# Port on which the inspection data store should listen. -#inspector_store_port: - ############################################################################### # Dummy variable to allow Ansible to accept this file. workaround_ansible_issue_8743: yes diff --git a/releasenotes/notes/removes-inspection-store-7d969c6200787282.yaml b/releasenotes/notes/removes-inspection-store-7d969c6200787282.yaml new file mode 100644 index 000000000..f1634e8be --- /dev/null +++ b/releasenotes/notes/removes-inspection-store-7d969c6200787282.yaml @@ -0,0 +1,12 @@ +--- +upgrade: + - | + The inspection_store container has been removed since it was tied to the + standalone Ironic Inspector implementation and support for deploying that + service has been dropped. The new inspection implemenation built into + Ironic stores a similar set of data in the database. Prior to upgrading, + you may wish to dump any data with the ``kayobe overcloud introspection data + save`` command. After the upgrade the container should be manually removed + from the first controller using either ``docker stop inspection store && + docker rm inspection_store`` or ``sudo podman stop inspection_store && sudo + podman rm inspection_store`` From 6986fea5983268448a529d03b7babae8976cb898 Mon Sep 17 00:00:00 2001 From: Claudia Watson Date: Thu, 25 Sep 2025 15:21:54 +0100 Subject: [PATCH 087/187] Change IPA compression algorithm from default gzip to zstd -19 Updates the IPA (Ironic Python Agent) compression algorithm from the default gzip to use zstd -19 instead. This reduces the transfer size of the IPA boot ISO from the Ironic conductor to the baremetal nodes during provisioning. Change-Id: Id0938c3fef6ccb9ceb556ce68a442393eabf2624 Signed-off-by: Claudia Watson --- ansible/inventory/group_vars/all/ipa | 5 +++-- .../reference/ironic-python-agent.rst | 3 +-- etc/kayobe/ipa.yml | 4 ++-- ...sion-algorithm-to-zstd-19-b3860e0a24ca824e.yaml | 14 ++++++++++++++ 4 files changed, 20 insertions(+), 6 deletions(-) create mode 100644 releasenotes/notes/change-IPA-compression-algorithm-to-zstd-19-b3860e0a24ca824e.yaml diff --git a/ansible/inventory/group_vars/all/ipa b/ansible/inventory/group_vars/all/ipa index 21fbff2df..e021de913 100644 --- a/ansible/inventory/group_vars/all/ipa +++ b/ansible/inventory/group_vars/all/ipa @@ -20,7 +20,7 @@ ipa_builder_source_url: "https://opendev.org/openstack/ironic-python-agent-build ipa_builder_source_version: "{{ openstack_branch }}" # List of additional build host packages to install. -ipa_build_dib_host_packages_extra: [] +ipa_build_dib_host_packages_extra: [ 'zstd' ] # List of default Diskimage Builder (DIB) elements to use when building IPA # images. Default is ["centos", "dynamic-login", "enable-serial-console", @@ -53,6 +53,7 @@ ipa_build_dib_env_default: DIB_REPOLOCATION_ironic_python_agent: "{{ ipa_build_source_url }}" DIB_REPOREF_ironic_python_agent: "{{ ipa_build_source_version }}" DIB_REPOREF_requirements: "{{ ipa_build_source_version }}" + DIB_IPA_COMPRESS_CMD: 'zstd -19' # Dictionary of additional environment variables to provide to Diskimage # Builder (DIB) during IPA image build. @@ -83,7 +84,7 @@ ipa_build_dib_git_elements_extra: [] ipa_build_dib_git_elements: >- {{ ipa_build_dib_git_elements_default + ipa_build_dib_git_elements_extra }} -# List of DIB packages to install. Default is none. +# List of DIB packages to install. Default is empty list. ipa_build_dib_packages: [] # Upper constraints file for installing packages in the virtual environment diff --git a/doc/source/configuration/reference/ironic-python-agent.rst b/doc/source/configuration/reference/ironic-python-agent.rst index 23f7f4f06..3d79d10e9 100644 --- a/doc/source/configuration/reference/ironic-python-agent.rst +++ b/doc/source/configuration/reference/ironic-python-agent.rst @@ -45,8 +45,7 @@ image build``. ``ipa_builder_source_version`` Version of IPA builder source repository. Default is ``master``. ``ipa_build_dib_host_packages_extra`` - List of additional build host packages to install. Default is an empty - list. + List of additional build host packages to install. Default is ``[ 'zstd' ]``. ``ipa_build_dib_elements_default`` List of default Diskimage Builder (DIB) elements to use when building IPA images. Default is ``["centos", "dynamic-login", "enable-serial-console", diff --git a/etc/kayobe/ipa.yml b/etc/kayobe/ipa.yml index 00a9b9e97..b64320685 100644 --- a/etc/kayobe/ipa.yml +++ b/etc/kayobe/ipa.yml @@ -19,7 +19,7 @@ # Version of IPA builder source repository. Default is {{ openstack_branch }}. #ipa_builder_source_version: -# List of additional build host packages to install. Default is an empty list. +# List of additional build host packages to install. Default is [ 'zstd' ]. #ipa_build_dib_host_packages_extra: # List of default Diskimage Builder (DIB) elements to use when building IPA @@ -64,7 +64,7 @@ # ipa_build_dib_git_elements_default and ipa_build_dib_git_elements_extra. #ipa_build_dib_git_elements: -# List of DIB packages to install. Default is none. +# List of DIB packages to install. Default is empty list. #ipa_build_dib_packages: # Upper constraints file for installing packages in the virtual environment diff --git a/releasenotes/notes/change-IPA-compression-algorithm-to-zstd-19-b3860e0a24ca824e.yaml b/releasenotes/notes/change-IPA-compression-algorithm-to-zstd-19-b3860e0a24ca824e.yaml new file mode 100644 index 000000000..bf4576bb2 --- /dev/null +++ b/releasenotes/notes/change-IPA-compression-algorithm-to-zstd-19-b3860e0a24ca824e.yaml @@ -0,0 +1,14 @@ +--- +features: + - | + Changes the IPA (Ironic Python Agent) image compression algorithm from + the default ``gzip`` to ``zstd``. This improves provisioning + performance by reducing the size of the IPA boot ISO transferred from + the Ironic conductor to the bare metal nodes. +upgrade: + - | + Changes the IPA (Ironic Python Agent) image compression algorithm from + default ``gzip`` to ``zstd``. The ``ipa_build_dib_env_default`` dictionary + now includes ``DIB_IPA_COMPRESS_CMD`` set to ``zstd -19``. + The default ``ipa_build_dib_host_packages_extra`` has been changed from + none to ``['zstd']``. \ No newline at end of file From fd9e45be508d627ae2585af6c1837842874bbe34 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 15 Oct 2025 09:16:54 +0200 Subject: [PATCH 088/187] Switch default Kolla images for centos/rocky 10 Change-Id: Ia040773a30e3f479402de6261eaaa62a93a1a29b Signed-off-by: Pierre Riteau --- ansible/inventory/group_vars/all/kolla | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/inventory/group_vars/all/kolla b/ansible/inventory/group_vars/all/kolla index f20c0e5fd..ad5942be8 100644 --- a/ansible/inventory/group_vars/all/kolla +++ b/ansible/inventory/group_vars/all/kolla @@ -63,9 +63,9 @@ kolla_base_distro: "{{ os_distribution }}" # Kolla base container image distribution version default map. # Defines default versions for each distribution. kolla_base_distro_version_default_map: { - "centos": "stream9", + "centos": "stream10", "debian": "bookworm", - "rocky": "9", + "rocky": "10", "ubuntu": "noble", } From 29966350ec70932accf10c07920c9ed046da54a1 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 2 Oct 2025 18:08:12 +0200 Subject: [PATCH 089/187] CI: Add more centos/rocky 10 jobs Depends-On: https://review.opendev.org/c/openstack/ansible-collection-kolla/+/961237 Change-Id: Id50444efffc0c9806614620eac049a12408dcbae Signed-off-by: Pierre Riteau --- zuul.d/jobs.yaml | 49 +++++++++++++++++++++++++++++++++++++++++++++ zuul.d/project.yaml | 13 ++++++++++++ 2 files changed, 62 insertions(+) diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index 28429bffb..19b877921 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -127,6 +127,12 @@ nodeset: kayobe-centos9s voting: false +- job: + name: kayobe-overcloud-centos10s + parent: kayobe-overcloud-base + nodeset: kayobe-centos10s + voting: false + - job: name: kayobe-overcloud-rocky9 parent: kayobe-overcloud-base @@ -141,6 +147,20 @@ vars: container_engine: podman +- job: + name: kayobe-overcloud-rocky10 + parent: kayobe-overcloud-base + vars: + kayobe_control_host_become: false + nodeset: kayobe-rocky10 + +- job: + name: kayobe-overcloud-rocky10-podman + parent: kayobe-overcloud-base + nodeset: kayobe-rocky10 + vars: + container_engine: podman + - job: name: kayobe-overcloud-ubuntu-noble parent: kayobe-overcloud-base @@ -167,11 +187,22 @@ nodeset: kayobe-centos9s voting: false +- job: + name: kayobe-overcloud-tls-centos10s + parent: kayobe-overcloud-tls-base + nodeset: kayobe-centos10s + voting: false + - job: name: kayobe-overcloud-tls-rocky9 parent: kayobe-overcloud-tls-base nodeset: kayobe-rocky9 +- job: + name: kayobe-overcloud-tls-rocky10 + parent: kayobe-overcloud-tls-base + nodeset: kayobe-rocky10 + - job: name: kayobe-overcloud-upgrade-base parent: kayobe-base @@ -223,6 +254,12 @@ nodeset: kayobe-centos9s voting: false +- job: + name: kayobe-seed-centos10s + parent: kayobe-seed-base + nodeset: kayobe-centos10s + voting: false + - job: name: kayobe-seed-rocky9 parent: kayobe-seed-base @@ -235,6 +272,18 @@ vars: container_engine: podman +- job: + name: kayobe-seed-rocky10 + parent: kayobe-seed-base + nodeset: kayobe-rocky10 + +- job: + name: kayobe-seed-rocky10-podman + parent: kayobe-seed-base + nodeset: kayobe-rocky10 + vars: + container_engine: podman + - job: name: kayobe-seed-ubuntu-noble parent: kayobe-seed-base diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index ad4bbd35a..17b729553 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -18,9 +18,14 @@ - kayobe-overcloud-host-configure-rocky10 - kayobe-overcloud-host-configure-rocky9 - kayobe-overcloud-host-configure-ubuntu-noble + - kayobe-overcloud-rocky10 + - kayobe-overcloud-rocky10-podman + - kayobe-overcloud-tls-rocky10 - kayobe-overcloud-ubuntu-noble - kayobe-overcloud-ubuntu-noble-podman - kayobe-overcloud-upgrade-ubuntu-noble + - kayobe-seed-rocky10 + - kayobe-seed-rocky10-podman - kayobe-seed-ubuntu-noble - kayobe-seed-ubuntu-noble-podman - kayobe-seed-upgrade-ubuntu-noble @@ -38,9 +43,14 @@ - kayobe-overcloud-host-configure-rocky10 - kayobe-overcloud-host-configure-rocky9 - kayobe-overcloud-host-configure-ubuntu-noble + - kayobe-overcloud-rocky10 + - kayobe-overcloud-rocky10-podman + - kayobe-overcloud-tls-rocky10 - kayobe-overcloud-ubuntu-noble - kayobe-overcloud-ubuntu-noble-podman - kayobe-overcloud-upgrade-ubuntu-noble + - kayobe-seed-rocky10 + - kayobe-seed-rocky10-podman - kayobe-seed-ubuntu-noble - kayobe-seed-ubuntu-noble-podman - kayobe-seed-upgrade-ubuntu-noble @@ -57,13 +67,16 @@ - kayobe-infra-vm-rocky10-cloud-image - kayobe-infra-vm-rocky9-cloud-image - kayobe-infra-vm-ubuntu-noble-cloud-image + - kayobe-overcloud-centos10s - kayobe-overcloud-centos9s - kayobe-overcloud-host-configure-centos10s - kayobe-overcloud-host-configure-centos9s - kayobe-overcloud-rocky9 - kayobe-overcloud-rocky9-podman + - kayobe-overcloud-tls-centos10s - kayobe-overcloud-tls-rocky9 - kayobe-overcloud-upgrade-rocky9 + - kayobe-seed-centos10s - kayobe-seed-images-centos9s - kayobe-seed-images-rocky9 - kayobe-seed-images-rocky9-podman From 3ba07b28be8a468dd263833f741fadc7e21af45a Mon Sep 17 00:00:00 2001 From: Claudia Watson Date: Mon, 8 Sep 2025 11:21:45 +0100 Subject: [PATCH 090/187] Add redfish pxe args for virtual media Use ironic pxe variables for redfish. Both Redfish and PXE boot are now supported using a common set of configuration parameters. New variables are in the form kolla_ironic_kernel_append_params. References to old pxe variables in other documentation has been updated. Change-Id: I4bb2930c145da7ca413e3e99a003e14a1e159439 Signed-off-by: Claudia Watson --- ansible/inventory/group_vars/all/ironic | 21 ++++++++++++------- .../roles/kolla-openstack/defaults/main.yml | 5 ++++- .../templates/kolla/config/ironic.conf | 5 +++++ .../reference/ironic-python-agent.rst | 4 ++-- etc/kayobe/ironic.yml | 8 +++++++ .../kayobe-overcloud-base/overrides.yml.j2 | 2 +- ...gs-for-virtual-media-1446188235feaaac.yaml | 12 +++++++++++ 7 files changed, 46 insertions(+), 11 deletions(-) create mode 100644 releasenotes/notes/add-redfish-pxe-args-for-virtual-media-1446188235feaaac.yaml diff --git a/ansible/inventory/group_vars/all/ironic b/ansible/inventory/group_vars/all/ironic index 72f26e2f7..e67526a79 100644 --- a/ansible/inventory/group_vars/all/ironic +++ b/ansible/inventory/group_vars/all/ironic @@ -98,20 +98,27 @@ kolla_ironic_cleaning_network: "{{ kolla_ironic_provisioning_network if cleaning kolla_ironic_provisioning_network: 'provision-net' # List of default kernel parameters to append for baremetal PXE boot. -kolla_ironic_pxe_append_params_default: +kolla_ironic_pxe_append_params_default: "{{ kolla_ironic_kernel_append_params_default }}" + +# List of additional kernel parameters to append for baremetal PXE boot. +kolla_ironic_pxe_append_params_extra: "{{ kolla_ironic_kernel_append_params_extra }}" + +# List of kernel parameters to append for baremetal PXE boot. +kolla_ironic_pxe_append_params: "{{ kolla_ironic_pxe_append_params_default + kolla_ironic_pxe_append_params_extra }}" + +# List of default kernel parameters to append for baremetal boot. +kolla_ironic_kernel_append_params_default: - nofb - nomodeset - vga=normal - console=tty0 - console=ttyS0,115200n8 -# List of additional kernel parameters to append for baremetal PXE boot. -kolla_ironic_pxe_append_params_extra: [] +# List of additional kernel parameters to append for baremetal boot. +kolla_ironic_kernel_append_params_extra: [] -# List of kernel parameters to append for baremetal PXE boot. -kolla_ironic_pxe_append_params: > - {{ kolla_ironic_pxe_append_params_default + - kolla_ironic_pxe_append_params_extra }} +# List of kernel parameters to append for baremetal boot. +kolla_ironic_kernel_append_params: "{{ kolla_ironic_kernel_append_params_default + kolla_ironic_kernel_append_params_extra }}" ############################################################################### # Ironic Node Configuration diff --git a/ansible/roles/kolla-openstack/defaults/main.yml b/ansible/roles/kolla-openstack/defaults/main.yml index 0d9f2b697..780cca622 100644 --- a/ansible/roles/kolla-openstack/defaults/main.yml +++ b/ansible/roles/kolla-openstack/defaults/main.yml @@ -550,7 +550,10 @@ kolla_ironic_cleaning_network: # Name or UUID of the Neutron network to use for provisioning. kolla_ironic_provisioning_network: -# List of additional append parameters for baremetal PXE boot. +# List of additional append parameters for baremetal boot. +kolla_ironic_kernel_append_params: [] + +#List of additional append parameters for baremetal PXE boot. kolla_ironic_pxe_append_params: [] # Deprecated: diff --git a/ansible/roles/kolla-openstack/templates/kolla/config/ironic.conf b/ansible/roles/kolla-openstack/templates/kolla/config/ironic.conf index f91aad0db..5485efb21 100644 --- a/ansible/roles/kolla-openstack/templates/kolla/config/ironic.conf +++ b/ansible/roles/kolla-openstack/templates/kolla/config/ironic.conf @@ -18,6 +18,11 @@ enabled_hardware_types: {{ kolla_ironic_enabled_hardware_types | join(',') }} [agent] deploy_logs_local_path = /var/log/kolla/ironic/deploy +[redfish] +{% if kolla_ironic_kernel_append_params %} +kernel_append_params = {{ kolla_ironic_kernel_append_params | join(' ') }} +{% endif %} + [neutron] cleaning_network = {{ kolla_ironic_cleaning_network }} provisioning_network = {{ kolla_ironic_provisioning_network }} diff --git a/doc/source/configuration/reference/ironic-python-agent.rst b/doc/source/configuration/reference/ironic-python-agent.rst index 23f7f4f06..b61a6a562 100644 --- a/doc/source/configuration/reference/ironic-python-agent.rst +++ b/doc/source/configuration/reference/ironic-python-agent.rst @@ -162,12 +162,12 @@ Bifrost can be configured to use ``dynamic-login`` with the The updated configuration is applied with ``kayobe seed service deploy``. Overcloud Ironic can be configured with the -``kolla_ironic_pxe_append_params_extra`` variable: +``kolla_ironic_kernel_append_params_extra`` variable: .. code-block:: yaml :caption: ``ironic.yml`` - kolla_ironic_pxe_append_params_extra: + kolla_ironic_kernel_append_params_extra: - sshkey="ssh-rsa BBA1..." The updated configuration is applied with ``kayobe overcloud service deploy``. diff --git a/etc/kayobe/ironic.yml b/etc/kayobe/ironic.yml index 1298fcb67..e1f36579e 100644 --- a/etc/kayobe/ironic.yml +++ b/etc/kayobe/ironic.yml @@ -106,6 +106,14 @@ # List of kernel parameters to append for baremetal PXE boot. #kolla_ironic_pxe_append_params: +# List of default kernel parameters to append for baremetal boot. +#kolla_ironic_kernel_append_params_default: + +# List of additional kernel parameters to append for baremetal boot. +#kolla_ironic_kernel_append_params_extra: + +# List of kernel parameters to append for baremetal boot. +#kolla_ironic_kernel_append_params: ############################################################################### # Ironic Node Configuration diff --git a/playbooks/kayobe-overcloud-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-base/overrides.yml.j2 index c13f16f1a..a0a46b5c6 100644 --- a/playbooks/kayobe-overcloud-base/overrides.yml.j2 +++ b/playbooks/kayobe-overcloud-base/overrides.yml.j2 @@ -52,7 +52,7 @@ compute_libvirt_enable_tls: true kolla_enable_tls_external: "yes" kolla_enable_tls_internal: "yes" -kolla_ironic_pxe_append_params_extra: +kolla_ironic_kernel_append_params_extra: - ipa-insecure=1 {% endif %} diff --git a/releasenotes/notes/add-redfish-pxe-args-for-virtual-media-1446188235feaaac.yaml b/releasenotes/notes/add-redfish-pxe-args-for-virtual-media-1446188235feaaac.yaml new file mode 100644 index 000000000..24837912e --- /dev/null +++ b/releasenotes/notes/add-redfish-pxe-args-for-virtual-media-1446188235feaaac.yaml @@ -0,0 +1,12 @@ +--- +features: + - | + Adds support for Redfish virtual media and + PXE boot using a common set of variables. + Migration to using + ``kolla_ironic_kernel_append_params`` is + advised. + New boot variables are: + kolla_ironic_kernel_append_params, + kolla_ironic_kernel_append_params_default, + kolla_ironic_kernel_append_params_extra. From 559a08b811a397390635ab3573e7f4e639ba14c6 Mon Sep 17 00:00:00 2001 From: Maksim Malchuk Date: Fri, 17 Oct 2025 16:05:18 +0300 Subject: [PATCH 091/187] Remove default(omit) from Bifrost inventory template The use of default(omit) is for module parameters, not templates. It will generate something like '__omit_place_holder__43ba6b6adb2908224e20a191174d53ef36403cfc'. Closes-Bug: #2045927 Depends-On: https://review.opendev.org/c/openstack/bifrost/+/953336 Change-Id: Ia614645d6b49f10a0c81ae0a0ab2398a9b56912c Signed-off-by: Maksim Malchuk --- ansible/inventory/group_vars/all/bifrost | 4 ++-- ansible/kolla-bifrost-hostvars.yml | 2 +- etc/kayobe/bifrost.yml | 2 +- .../notes/fix-bifrost-invenory-05f8a92915998f09.yaml | 5 +++++ 4 files changed, 9 insertions(+), 4 deletions(-) create mode 100644 releasenotes/notes/fix-bifrost-invenory-05f8a92915998f09.yaml diff --git a/ansible/inventory/group_vars/all/bifrost b/ansible/inventory/group_vars/all/bifrost index 18eb4bb91..76042ff6b 100644 --- a/ansible/inventory/group_vars/all/bifrost +++ b/ansible/inventory/group_vars/all/bifrost @@ -68,8 +68,8 @@ kolla_bifrost_deploy_image_filename: "deployment_image.qcow2" # UUID of the root filesystem contained within the deployment image. # See below URL for instructions on how to extract it: # https://docs.openstack.org/ironic/latest/admin/raid.html#image-requirements -# Default is none. -kolla_bifrost_deploy_image_rootfs: +# Default is an empty string. +kolla_bifrost_deploy_image_rootfs: '' # Custom cloud-init user-data passed to deploy of the deployment image. # Default is an empty string. diff --git a/ansible/kolla-bifrost-hostvars.yml b/ansible/kolla-bifrost-hostvars.yml index ce330fe15..d560e4d0e 100644 --- a/ansible/kolla-bifrost-hostvars.yml +++ b/ansible/kolla-bifrost-hostvars.yml @@ -19,7 +19,7 @@ bifrost_hostvars: addressing_mode: static deploy_image_filename: "{{ kolla_bifrost_deploy_image_filename }}" - deploy_image_rootfs: "{{ kolla_bifrost_deploy_image_rootfs | default(omit, true) }}" + deploy_image_rootfs: "{{ kolla_bifrost_deploy_image_rootfs }}" ipv4_interface_mac: "{% if kolla_bifrost_ipv4_interface_mac is defined %}{{ kolla_bifrost_ipv4_interface_mac }}{% else %}{% raw %}{{ extra.pxe_interface_mac | default }}{% endraw %}{% endif %}" ipv4_address: "{{ admin_oc_net_name | net_ip }}" ipv4_subnet_mask: "{{ admin_oc_net_name | net_mask }}" diff --git a/etc/kayobe/bifrost.yml b/etc/kayobe/bifrost.yml index cf75637e7..8c5e9a501 100644 --- a/etc/kayobe/bifrost.yml +++ b/etc/kayobe/bifrost.yml @@ -69,7 +69,7 @@ # UUID of the root filesystem contained within the deployment image. # See below URL for instructions on how to extract it: # https://docs.openstack.org/ironic/latest/admin/raid.html#image-requirements -# Default is none. +# Default is an empty string. #kolla_bifrost_deploy_image_rootfs: # Custom cloud-init user-data passed to deploy of the deployment image. diff --git a/releasenotes/notes/fix-bifrost-invenory-05f8a92915998f09.yaml b/releasenotes/notes/fix-bifrost-invenory-05f8a92915998f09.yaml new file mode 100644 index 000000000..c616a971a --- /dev/null +++ b/releasenotes/notes/fix-bifrost-invenory-05f8a92915998f09.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fixes issue when Bifrost hostvars file incorectly generated by Kayobe. + `LP#2045927 `__ From 8882c873055ac74c0916d6d6acc58b6823c496a7 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Sat, 18 Oct 2025 06:27:18 +0200 Subject: [PATCH 092/187] CI: Replace deprecated yaml callback plugin [DEPRECATION WARNING]: community.general.yaml has been deprecated. The plugin has been superseded by the option `result_format=yaml` in callback plugin ansible.builtin.default from ansible-core 2.13 onwards. This feature will be removed from community.general in version 12.0.0. Change-Id: I173240e0c7b5559a1ef1eea95067bd9d6c390ab4 Signed-off-by: Pierre Riteau --- playbooks/kayobe-base/pre.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/kayobe-base/pre.yml b/playbooks/kayobe-base/pre.yml index 34a317a0e..a8be2b19c 100644 --- a/playbooks/kayobe-base/pre.yml +++ b/playbooks/kayobe-base/pre.yml @@ -15,7 +15,7 @@ callbacks_enabled = ansible.posix.profile_tasks # Improve readability of ansible output. - stdout_callback = yaml + callback_result_format = yaml [ssh_connection] # NOTE(wszusmki): Disable pipelining due to: @@ -36,7 +36,7 @@ callbacks_enabled = ansible.posix.profile_tasks # Improve readability of ansible output. - stdout_callback = yaml + callback_result_format = yaml [ssh_connection] # NOTE(wszusmki): Disable pipelining due to: From 5bf9c198dd23d44fe1f54c55eb61b68bdeb0ed18 Mon Sep 17 00:00:00 2001 From: Claudia Watson Date: Thu, 25 Sep 2025 15:21:54 +0100 Subject: [PATCH 093/187] Change IPA compression algorithm from default gzip to zstd -19 Updates the IPA (Ironic Python Agent) compression algorithm from the default gzip to use zstd -19 instead. This reduces the transfer size of the IPA boot ISO from the Ironic conductor to the baremetal nodes during provisioning. Change-Id: Id0938c3fef6ccb9ceb556ce68a442393eabf2624 Signed-off-by: Claudia Watson --- ansible/inventory/group_vars/all/ipa | 5 +++-- .../reference/ironic-python-agent.rst | 3 +-- etc/kayobe/ipa.yml | 4 ++-- ...sion-algorithm-to-zstd-19-b3860e0a24ca824e.yaml | 14 ++++++++++++++ 4 files changed, 20 insertions(+), 6 deletions(-) create mode 100644 releasenotes/notes/change-IPA-compression-algorithm-to-zstd-19-b3860e0a24ca824e.yaml diff --git a/ansible/inventory/group_vars/all/ipa b/ansible/inventory/group_vars/all/ipa index 21fbff2df..e021de913 100644 --- a/ansible/inventory/group_vars/all/ipa +++ b/ansible/inventory/group_vars/all/ipa @@ -20,7 +20,7 @@ ipa_builder_source_url: "https://opendev.org/openstack/ironic-python-agent-build ipa_builder_source_version: "{{ openstack_branch }}" # List of additional build host packages to install. -ipa_build_dib_host_packages_extra: [] +ipa_build_dib_host_packages_extra: [ 'zstd' ] # List of default Diskimage Builder (DIB) elements to use when building IPA # images. Default is ["centos", "dynamic-login", "enable-serial-console", @@ -53,6 +53,7 @@ ipa_build_dib_env_default: DIB_REPOLOCATION_ironic_python_agent: "{{ ipa_build_source_url }}" DIB_REPOREF_ironic_python_agent: "{{ ipa_build_source_version }}" DIB_REPOREF_requirements: "{{ ipa_build_source_version }}" + DIB_IPA_COMPRESS_CMD: 'zstd -19' # Dictionary of additional environment variables to provide to Diskimage # Builder (DIB) during IPA image build. @@ -83,7 +84,7 @@ ipa_build_dib_git_elements_extra: [] ipa_build_dib_git_elements: >- {{ ipa_build_dib_git_elements_default + ipa_build_dib_git_elements_extra }} -# List of DIB packages to install. Default is none. +# List of DIB packages to install. Default is empty list. ipa_build_dib_packages: [] # Upper constraints file for installing packages in the virtual environment diff --git a/doc/source/configuration/reference/ironic-python-agent.rst b/doc/source/configuration/reference/ironic-python-agent.rst index 23f7f4f06..3d79d10e9 100644 --- a/doc/source/configuration/reference/ironic-python-agent.rst +++ b/doc/source/configuration/reference/ironic-python-agent.rst @@ -45,8 +45,7 @@ image build``. ``ipa_builder_source_version`` Version of IPA builder source repository. Default is ``master``. ``ipa_build_dib_host_packages_extra`` - List of additional build host packages to install. Default is an empty - list. + List of additional build host packages to install. Default is ``[ 'zstd' ]``. ``ipa_build_dib_elements_default`` List of default Diskimage Builder (DIB) elements to use when building IPA images. Default is ``["centos", "dynamic-login", "enable-serial-console", diff --git a/etc/kayobe/ipa.yml b/etc/kayobe/ipa.yml index 00a9b9e97..b64320685 100644 --- a/etc/kayobe/ipa.yml +++ b/etc/kayobe/ipa.yml @@ -19,7 +19,7 @@ # Version of IPA builder source repository. Default is {{ openstack_branch }}. #ipa_builder_source_version: -# List of additional build host packages to install. Default is an empty list. +# List of additional build host packages to install. Default is [ 'zstd' ]. #ipa_build_dib_host_packages_extra: # List of default Diskimage Builder (DIB) elements to use when building IPA @@ -64,7 +64,7 @@ # ipa_build_dib_git_elements_default and ipa_build_dib_git_elements_extra. #ipa_build_dib_git_elements: -# List of DIB packages to install. Default is none. +# List of DIB packages to install. Default is empty list. #ipa_build_dib_packages: # Upper constraints file for installing packages in the virtual environment diff --git a/releasenotes/notes/change-IPA-compression-algorithm-to-zstd-19-b3860e0a24ca824e.yaml b/releasenotes/notes/change-IPA-compression-algorithm-to-zstd-19-b3860e0a24ca824e.yaml new file mode 100644 index 000000000..bf4576bb2 --- /dev/null +++ b/releasenotes/notes/change-IPA-compression-algorithm-to-zstd-19-b3860e0a24ca824e.yaml @@ -0,0 +1,14 @@ +--- +features: + - | + Changes the IPA (Ironic Python Agent) image compression algorithm from + the default ``gzip`` to ``zstd``. This improves provisioning + performance by reducing the size of the IPA boot ISO transferred from + the Ironic conductor to the bare metal nodes. +upgrade: + - | + Changes the IPA (Ironic Python Agent) image compression algorithm from + default ``gzip`` to ``zstd``. The ``ipa_build_dib_env_default`` dictionary + now includes ``DIB_IPA_COMPRESS_CMD`` set to ``zstd -19``. + The default ``ipa_build_dib_host_packages_extra`` has been changed from + none to ``['zstd']``. \ No newline at end of file From 1ff7e4434f8cd8d5623d33779799b089d463a5d6 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 10 Oct 2025 11:09:06 +0200 Subject: [PATCH 094/187] Bump stackhpc.libvirt-host to v1.14.0 This adds support for centos/rocky 10. Change-Id: Id9d874024279a8e26561aca0e485c310de38b434 Signed-off-by: Pierre Riteau --- .../notes/stackhpc-libvirt-host-el10-0250bdabad776c65.yaml | 5 +++++ requirements.yml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/stackhpc-libvirt-host-el10-0250bdabad776c65.yaml diff --git a/releasenotes/notes/stackhpc-libvirt-host-el10-0250bdabad776c65.yaml b/releasenotes/notes/stackhpc-libvirt-host-el10-0250bdabad776c65.yaml new file mode 100644 index 000000000..646925cfc --- /dev/null +++ b/releasenotes/notes/stackhpc-libvirt-host-el10-0250bdabad776c65.yaml @@ -0,0 +1,5 @@ +--- +upgrade: + - | + Bumps the ``stackhpc.libvirt-host`` role to v1.14.0 which fixes + compatibility with CentOS Stream 10 and Rocky Linux 10. diff --git a/requirements.yml b/requirements.yml index 4ad3203dc..ef419f34d 100644 --- a/requirements.yml +++ b/requirements.yml @@ -41,7 +41,7 @@ roles: - src: stackhpc.drac-facts version: 1.0.0 - src: stackhpc.libvirt-host - version: v1.12.1 + version: v1.14.0 - src: stackhpc.libvirt-vm version: v1.16.3 - src: stackhpc.luks From 8b81ea31ddce2342babe1bc4eab62c65e12edd99 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Fri, 5 Sep 2025 13:00:38 +0000 Subject: [PATCH 095/187] Remove inspection store This is not used by the built-in inspector and support for deploying the standalone inspector has been removed[1]. [1] https://review.opendev.org/c/openstack/kolla-ansible/+/951864 Change-Id: I2c2872d1ae6a15afece4a46b9ff7cfe77f073f45 Signed-off-by: Will Szumski --- ansible/inspection-store.yml | 18 ------- ansible/inventory/group_vars/all/inspector | 10 ---- ansible/kolla-openstack.yml | 6 --- ansible/overcloud-extras.yml | 1 - ansible/roles/inspection-store/README.md | 40 --------------- .../roles/inspection-store/defaults/main.yml | 39 --------------- .../roles/inspection-store/handlers/main.yml | 21 -------- .../roles/inspection-store/tasks/config.yml | 18 ------- .../roles/inspection-store/tasks/deploy.yml | 3 -- .../roles/inspection-store/tasks/destroy.yml | 22 -------- ansible/roles/inspection-store/tasks/main.yml | 2 - ansible/roles/inspection-store/tasks/pull.yml | 11 ---- .../inspection-store/tasks/reconfigure.yml | 2 - .../roles/inspection-store/tasks/start.yml | 18 ------- ansible/roles/inspection-store/tasks/stop.yml | 10 ---- .../roles/inspection-store/tasks/upgrade.yml | 3 -- .../inspection-store/templates/nginx.conf | 40 --------------- .../kolla/config/ironic-inspector.conf | 50 ------------------- etc/kayobe/inspector.yml | 11 ---- ...ves-inspection-store-7d969c6200787282.yaml | 12 +++++ 20 files changed, 12 insertions(+), 325 deletions(-) delete mode 100644 ansible/inspection-store.yml delete mode 100644 ansible/roles/inspection-store/README.md delete mode 100644 ansible/roles/inspection-store/defaults/main.yml delete mode 100644 ansible/roles/inspection-store/handlers/main.yml delete mode 100644 ansible/roles/inspection-store/tasks/config.yml delete mode 100644 ansible/roles/inspection-store/tasks/deploy.yml delete mode 100644 ansible/roles/inspection-store/tasks/destroy.yml delete mode 100644 ansible/roles/inspection-store/tasks/main.yml delete mode 100644 ansible/roles/inspection-store/tasks/pull.yml delete mode 100644 ansible/roles/inspection-store/tasks/reconfigure.yml delete mode 100644 ansible/roles/inspection-store/tasks/start.yml delete mode 100644 ansible/roles/inspection-store/tasks/stop.yml delete mode 100644 ansible/roles/inspection-store/tasks/upgrade.yml delete mode 100644 ansible/roles/inspection-store/templates/nginx.conf delete mode 100644 ansible/roles/kolla-openstack/templates/kolla/config/ironic-inspector.conf create mode 100644 releasenotes/notes/removes-inspection-store-7d969c6200787282.yaml diff --git a/ansible/inspection-store.yml b/ansible/inspection-store.yml deleted file mode 100644 index d33968e6c..000000000 --- a/ansible/inspection-store.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -# Deploy/pull/reconfigure/stop/upgrade inspection data store. -# -# Follows kolla-ansible service deployment patterns. -# -# Variables: -# action: One of deploy, destroy, pull, reconfigure, upgrade - -- name: Ensure inspection store is deployed - hosts: controllers[0] - tags: - - inspection-store - roles: - - role: inspection-store - inspection_store_action: "{{ kayobe_action }}" - inspection_store_enabled: "{{ inspector_store_enabled }}" - inspection_store_port: "{{ inspector_store_port }}" - inspection_store_config_path: "{{ config_path }}/inspection-store" diff --git a/ansible/inventory/group_vars/all/inspector b/ansible/inventory/group_vars/all/inspector index bdf3df568..4497d39eb 100644 --- a/ansible/inventory/group_vars/all/inspector +++ b/ansible/inventory/group_vars/all/inspector @@ -395,13 +395,3 @@ inspector_rules: "{{ inspector_rules_default + inspector_rules_extra + (inspecto # applied. inspector_dell_switch_lldp_workaround_group: -############################################################################### -# Inspection store configuration. -# The inspection store provides a Swift-like service for storing inspection -# data which may be useful in environments without Swift. - -# Whether the inspection data store is enabled. -inspector_store_enabled: "{{ kolla_enable_ironic_inspector | bool and not kolla_enable_swift | bool }}" - -# Port on which the inspection data store should listen. -inspector_store_port: 8080 diff --git a/ansible/kolla-openstack.yml b/ansible/kolla-openstack.yml index c7b9d56a7..bb116330d 100644 --- a/ansible/kolla-openstack.yml +++ b/ansible/kolla-openstack.yml @@ -136,12 +136,6 @@ kolla_inspector_keep_ports: "{{ inspector_keep_ports }}" kolla_inspector_enable_discovery: "{{ inspector_enable_discovery }}" kolla_inspector_discovery_enroll_node_driver: "{{ inspector_discovery_enroll_node_driver }}" - # Ironic inspector swift store configuration. Currently only supports the - # 'fake' inspection store. - kolla_inspector_enable_swift: "{{ inspector_store_enabled }}" - kolla_inspector_swift_auth: - auth_type: none - endpoint_override: "http://{% raw %}{{ api_interface_address }}{% endraw %}:{{ inspector_store_port }}" kolla_inspector_ipa_host: "{{ groups['controllers_with_ironic_enabled_True'][0] }}" kolla_openstack_custom_config_paths_extra_multi_env_static: - "{{ kayobe_config_path }}" diff --git a/ansible/overcloud-extras.yml b/ansible/overcloud-extras.yml index ad16dc86b..0a5d4fa4e 100644 --- a/ansible/overcloud-extras.yml +++ b/ansible/overcloud-extras.yml @@ -8,5 +8,4 @@ # action: One of deploy, destroy, pull, reconfigure, upgrade - import_playbook: docker-registry.yml -- import_playbook: inspection-store.yml - import_playbook: opensm.yml diff --git a/ansible/roles/inspection-store/README.md b/ansible/roles/inspection-store/README.md deleted file mode 100644 index 4c9fb18e8..000000000 --- a/ansible/roles/inspection-store/README.md +++ /dev/null @@ -1,40 +0,0 @@ -Inspection Store -================ - -Ironic inspector can make use of Swift to store introspection data. Not all -OpenStack deployments feature Swift, so it may be useful to provide a minimal -HTTP interface that emulates Swift for storing ironic inspector's introspection -data. This role deploys such an interface using nginx. Note that no -authentication mechanism is provided. - -Requirements ------------- - -The host executing the role has the following requirements: - -* Docker engine -* Python ``docker >= 2.0.0`` - -Role Variables --------------- - -Dependencies ------------- - -None - -Example Playbook ----------------- - -The following playbook deploys an inspection store. - - --- - - hosts: all - - roles: - - role: inspection-store - -Author Information ------------------- - -- Mark Goddard () diff --git a/ansible/roles/inspection-store/defaults/main.yml b/ansible/roles/inspection-store/defaults/main.yml deleted file mode 100644 index 7d1997d53..000000000 --- a/ansible/roles/inspection-store/defaults/main.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -# Roughly follows kolla-ansible's service deployment patterns. - -# Action to perform. One of 'deploy', 'destroy', 'pull', 'reconfigure', -# 'stop', 'upgrade'. -inspection_store_action: deploy - -# Whether an inspection store is enabled. -inspection_store_enabled: true - -# Service deployment definition. -inspection_store_services: - inspection_store: - container_name: inspection_store - enabled: "{{ inspection_store_enabled }}" - image: "{{ inspection_store_image_full }}" - network_mode: host - volumes: - - "/etc/localtime:/etc/localtime:ro" - - "{{ inspection_store_config_path }}/nginx.conf:/etc/nginx/nginx.conf:ro" - - "inspection_store:/data" - -# The port on which the inspection store server should listen. -inspection_store_port: 8080 - -# Path in which to store inspection store server configuration. -inspection_store_config_path: "/etc/inspection-store" - -#################### -# Inspection Store -#################### -inspection_store_namespace: "library" -inspection_store: docker.io -inspection_store_image: "{{ inspection_store ~ '/' if inspection_store | default else '' }}{{ inspection_store_namespace ~ '/' if inspection_store_namespace else '' }}nginx" -inspection_store_tag: "stable" -inspection_store_image_full: "{{ inspection_store_image }}:{{ inspection_store_tag }}" - -inspection_store_restart_policy: "unless-stopped" -#inspection_store_restart_retries: diff --git a/ansible/roles/inspection-store/handlers/main.yml b/ansible/roles/inspection-store/handlers/main.yml deleted file mode 100644 index a75eed5c9..000000000 --- a/ansible/roles/inspection-store/handlers/main.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -- name: Restart inspection store container - kayobe_container: - name: "{{ item.value.container_name }}" - state: started - restart: True - # NOTE: The image argument shouldn't be required, but without it this - # handler fails on Ansible 2.3. Related bug: - # https://github.com/ansible/ansible/issues/21188. - image: "{{ item.value.image }}" - with_dict: "{{ inspection_store_services }}" - when: item.value.enabled - become: "{{ container_engine == 'podman' }}" - -- name: Ensure inspection store data directory exists - command: > - {{ container_engine }} exec {{ inspection_store_services.inspection_store.container_name }} - bash -c "mkdir -p /data/ironic-inspector && - chown nginx:nginx /data/ironic-inspector" - when: inspection_store_services.inspection_store.enabled - become: "{{ container_engine == 'podman' }}" diff --git a/ansible/roles/inspection-store/tasks/config.yml b/ansible/roles/inspection-store/tasks/config.yml deleted file mode 100644 index e798f0214..000000000 --- a/ansible/roles/inspection-store/tasks/config.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -- name: Ensure inspection store configuration path exists - file: - path: "{{ inspection_store_config_path }}" - state: directory - owner: "{{ ansible_facts.user_uid }}" - group: "{{ ansible_facts.user_gid }}" - mode: 0750 - become: True - -- name: Ensure inspection store server is configured - template: - src: nginx.conf - dest: "{{ inspection_store_config_path }}/nginx.conf" - become: True - notify: - - Restart inspection store container - - Ensure inspection store data directory exists diff --git a/ansible/roles/inspection-store/tasks/deploy.yml b/ansible/roles/inspection-store/tasks/deploy.yml deleted file mode 100644 index d1f8db5d8..000000000 --- a/ansible/roles/inspection-store/tasks/deploy.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- include_tasks: config.yml -- include_tasks: start.yml diff --git a/ansible/roles/inspection-store/tasks/destroy.yml b/ansible/roles/inspection-store/tasks/destroy.yml deleted file mode 100644 index a311bf3e1..000000000 --- a/ansible/roles/inspection-store/tasks/destroy.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- -- name: Ensure inspection store container is stopped - kayobe_container: - name: "{{ item.value.container_name }}" - state: "absent" - with_dict: "{{ inspection_store_services }}" - become: "{{ container_engine == 'podman' }}" - -- name: Ensure inspection store volumes are absent - kayobe_container_volume: - name: "{{ volume }}" - state: absent - with_subelements: - - "{{ inspection_store_services }}" - - volumes - when: "'/' not in volume" - failed_when: - - volume_result.rc != 0 - - "'no such volume' not in volume_result.stderr | lower" - vars: - volume: "{{ item.1.split(':')[0] }}" - become: "{{ container_engine == 'podman' }}" diff --git a/ansible/roles/inspection-store/tasks/main.yml b/ansible/roles/inspection-store/tasks/main.yml deleted file mode 100644 index 23541719d..000000000 --- a/ansible/roles/inspection-store/tasks/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -- include_tasks: "{{ inspection_store_action }}.yml" diff --git a/ansible/roles/inspection-store/tasks/pull.yml b/ansible/roles/inspection-store/tasks/pull.yml deleted file mode 100644 index 88068c305..000000000 --- a/ansible/roles/inspection-store/tasks/pull.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -- name: Pulling inspection store container image - kayobe_container_image: - name: "{{ item.value.image }}" - source: pull - state: present - with_dict: "{{ inspection_store_services }}" - when: - - item.value.enabled - - inspection_store_action != 'destroy' - become: "{{ container_engine == 'podman' }}" diff --git a/ansible/roles/inspection-store/tasks/reconfigure.yml b/ansible/roles/inspection-store/tasks/reconfigure.yml deleted file mode 100644 index f670a5b78..000000000 --- a/ansible/roles/inspection-store/tasks/reconfigure.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -- include_tasks: deploy.yml diff --git a/ansible/roles/inspection-store/tasks/start.yml b/ansible/roles/inspection-store/tasks/start.yml deleted file mode 100644 index a2735af38..000000000 --- a/ansible/roles/inspection-store/tasks/start.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -- name: Ensure inspection store container is running - kayobe_container: - image: "{{ item.value.image }}" - name: "{{ item.value.container_name }}" - ports: "{{ item.value.ports | default(omit) }}" - privileged: "{{ item.value.privileged | default(omit) }}" - read_only: "{{ item.value.read_only | default(omit) }}" - restart_policy: "{{ inspection_store_restart_policy }}" - restart_retries: "{{ inspection_store_restart_retries | default(omit) }}" - state: started - volumes: "{{ item.value.volumes }}" - network_mode: "{{ item.value.network_mode | default(omit) }}" - with_dict: "{{ inspection_store_services }}" - notify: - - Ensure inspection store data directory exists - become: "{{ container_engine == 'podman' }}" - when: item.value.enabled | bool diff --git a/ansible/roles/inspection-store/tasks/stop.yml b/ansible/roles/inspection-store/tasks/stop.yml deleted file mode 100644 index d01750c21..000000000 --- a/ansible/roles/inspection-store/tasks/stop.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- name: Ensure inspection store container is stopped - kayobe_container: - image: "{{ item.value.image }}" - name: "{{ item.value.container_name }}" - state: "stopped" - with_dict: "{{ inspection_store_services }}" - when: - - item.value.enabled | bool - become: "{{ container_engine == 'podman' }}" diff --git a/ansible/roles/inspection-store/tasks/upgrade.yml b/ansible/roles/inspection-store/tasks/upgrade.yml deleted file mode 100644 index 99348ae91..000000000 --- a/ansible/roles/inspection-store/tasks/upgrade.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- include_tasks: pull.yml -- include_tasks: deploy.yml diff --git a/ansible/roles/inspection-store/templates/nginx.conf b/ansible/roles/inspection-store/templates/nginx.conf deleted file mode 100644 index cea01e58d..000000000 --- a/ansible/roles/inspection-store/templates/nginx.conf +++ /dev/null @@ -1,40 +0,0 @@ -user nginx; -worker_processes 1; - -error_log /var/log/nginx/error.log warn; -pid /var/run/nginx.pid; - - -events { - worker_connections 1024; -} - - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - #tcp_nopush on; - - keepalive_timeout 65; - - #gzip on; - - server { - listen {{ inspection_store_port }}; - root /data; - location /ironic-inspector { - return 200 ""; - } - location /ironic-inspector/ { - dav_methods PUT DELETE; - } - } -} diff --git a/ansible/roles/kolla-openstack/templates/kolla/config/ironic-inspector.conf b/ansible/roles/kolla-openstack/templates/kolla/config/ironic-inspector.conf deleted file mode 100644 index d085c2bec..000000000 --- a/ansible/roles/kolla-openstack/templates/kolla/config/ironic-inspector.conf +++ /dev/null @@ -1,50 +0,0 @@ -[DEFAULT] - -[processing] -{% if kolla_inspector_processing_hooks %} -# Comma-separated list of inspector processing plugins. -processing_hooks = {{ kolla_inspector_processing_hooks | join(',') }} -{% endif %} - -{% if kolla_inspector_add_ports %} -# Which MAC addresses to add as ports during introspection. One of 'all', -# 'active' or 'pxe'. -add_ports = {{ kolla_inspector_add_ports }} -{% endif %} - -{% if kolla_inspector_keep_ports %} -keep_ports = {{ kolla_inspector_keep_ports }} -{% endif %} - -# Store logs returned by the inspection ramdisk. -always_store_ramdisk_logs = True - -{% if kolla_inspector_enable_discovery %} -# Enable discovery when nodes do not exist in Ironic. -node_not_found_hook = enroll -{% endif %} - -{% if kolla_inspector_enable_swift %} -store_data = swift -{% endif %} - -{% if kolla_inspector_enable_swift %} -[swift] -{% for key, value in kolla_inspector_swift_auth.items() %} -{{ key }} = {{ value }} -{% endfor %} -{% endif %} - -{% if kolla_inspector_enable_discovery %} -[discovery] -# The driver with which to enroll newly discovered nodes in Ironic. -enroll_node_driver = {{ kolla_inspector_discovery_enroll_node_driver }} -{% endif %} - -{% if kolla_extra_inspector %} -####################### -# Extra configuration -####################### - -{{ kolla_extra_inspector }} -{% endif %} diff --git a/etc/kayobe/inspector.yml b/etc/kayobe/inspector.yml index 123481a5f..713751dfc 100644 --- a/etc/kayobe/inspector.yml +++ b/etc/kayobe/inspector.yml @@ -143,17 +143,6 @@ # applied. #inspector_dell_switch_lldp_workaround_group: -############################################################################### -# Inspection store configuration. -# The inspection store provides a Swift-like service for storing inspection -# data which may be useful in environments without Swift. - -# Whether the inspection data store is enabled. -#inspector_store_enabled: - -# Port on which the inspection data store should listen. -#inspector_store_port: - ############################################################################### # Dummy variable to allow Ansible to accept this file. workaround_ansible_issue_8743: yes diff --git a/releasenotes/notes/removes-inspection-store-7d969c6200787282.yaml b/releasenotes/notes/removes-inspection-store-7d969c6200787282.yaml new file mode 100644 index 000000000..f1634e8be --- /dev/null +++ b/releasenotes/notes/removes-inspection-store-7d969c6200787282.yaml @@ -0,0 +1,12 @@ +--- +upgrade: + - | + The inspection_store container has been removed since it was tied to the + standalone Ironic Inspector implementation and support for deploying that + service has been dropped. The new inspection implemenation built into + Ironic stores a similar set of data in the database. Prior to upgrading, + you may wish to dump any data with the ``kayobe overcloud introspection data + save`` command. After the upgrade the container should be manually removed + from the first controller using either ``docker stop inspection store && + docker rm inspection_store`` or ``sudo podman stop inspection_store && sudo + podman rm inspection_store`` From 94318251907c985a7b6caf1bccae7e5bf785db78 Mon Sep 17 00:00:00 2001 From: Claudia Watson Date: Mon, 8 Sep 2025 11:21:45 +0100 Subject: [PATCH 096/187] Add redfish pxe args for virtual media Use ironic pxe variables for redfish. Both Redfish and PXE boot are now supported using a common set of configuration parameters. New variables are in the form kolla_ironic_kernel_append_params. References to old pxe variables in other documentation has been updated. Change-Id: I4bb2930c145da7ca413e3e99a003e14a1e159439 Signed-off-by: Claudia Watson --- ansible/inventory/group_vars/all/ironic | 21 ++++++++++++------- .../roles/kolla-openstack/defaults/main.yml | 5 ++++- .../templates/kolla/config/ironic.conf | 5 +++++ .../reference/ironic-python-agent.rst | 4 ++-- etc/kayobe/ironic.yml | 8 +++++++ .../kayobe-overcloud-base/overrides.yml.j2 | 2 +- ...gs-for-virtual-media-1446188235feaaac.yaml | 12 +++++++++++ 7 files changed, 46 insertions(+), 11 deletions(-) create mode 100644 releasenotes/notes/add-redfish-pxe-args-for-virtual-media-1446188235feaaac.yaml diff --git a/ansible/inventory/group_vars/all/ironic b/ansible/inventory/group_vars/all/ironic index cf7dc884e..0e37aba9d 100644 --- a/ansible/inventory/group_vars/all/ironic +++ b/ansible/inventory/group_vars/all/ironic @@ -101,20 +101,27 @@ kolla_ironic_inspection_network: "{{ kolla_ironic_provisioning_network if inspec kolla_ironic_provisioning_network: 'provision-net' # List of default kernel parameters to append for baremetal PXE boot. -kolla_ironic_pxe_append_params_default: +kolla_ironic_pxe_append_params_default: "{{ kolla_ironic_kernel_append_params_default }}" + +# List of additional kernel parameters to append for baremetal PXE boot. +kolla_ironic_pxe_append_params_extra: "{{ kolla_ironic_kernel_append_params_extra }}" + +# List of kernel parameters to append for baremetal PXE boot. +kolla_ironic_pxe_append_params: "{{ kolla_ironic_pxe_append_params_default + kolla_ironic_pxe_append_params_extra }}" + +# List of default kernel parameters to append for baremetal boot. +kolla_ironic_kernel_append_params_default: - nofb - nomodeset - vga=normal - console=tty0 - console=ttyS0,115200n8 -# List of additional kernel parameters to append for baremetal PXE boot. -kolla_ironic_pxe_append_params_extra: [] +# List of additional kernel parameters to append for baremetal boot. +kolla_ironic_kernel_append_params_extra: [] -# List of kernel parameters to append for baremetal PXE boot. -kolla_ironic_pxe_append_params: > - {{ kolla_ironic_pxe_append_params_default + - kolla_ironic_pxe_append_params_extra }} +# List of kernel parameters to append for baremetal boot. +kolla_ironic_kernel_append_params: "{{ kolla_ironic_kernel_append_params_default + kolla_ironic_kernel_append_params_extra }}" ############################################################################### # Ironic Node Configuration diff --git a/ansible/roles/kolla-openstack/defaults/main.yml b/ansible/roles/kolla-openstack/defaults/main.yml index 2a20e3ac7..c326bd838 100644 --- a/ansible/roles/kolla-openstack/defaults/main.yml +++ b/ansible/roles/kolla-openstack/defaults/main.yml @@ -553,7 +553,10 @@ kolla_ironic_inspection_network: # Name or UUID of the Neutron network to use for provisioning. kolla_ironic_provisioning_network: -# List of additional append parameters for baremetal PXE boot. +# List of additional append parameters for baremetal boot. +kolla_ironic_kernel_append_params: [] + +#List of additional append parameters for baremetal PXE boot. kolla_ironic_pxe_append_params: [] # Deprecated: diff --git a/ansible/roles/kolla-openstack/templates/kolla/config/ironic.conf b/ansible/roles/kolla-openstack/templates/kolla/config/ironic.conf index 79adce40c..cbb8ca683 100644 --- a/ansible/roles/kolla-openstack/templates/kolla/config/ironic.conf +++ b/ansible/roles/kolla-openstack/templates/kolla/config/ironic.conf @@ -18,6 +18,11 @@ enabled_hardware_types: {{ kolla_ironic_enabled_hardware_types | join(',') }} [agent] deploy_logs_local_path = /var/log/kolla/ironic/deploy +[redfish] +{% if kolla_ironic_kernel_append_params %} +kernel_append_params = {{ kolla_ironic_kernel_append_params | join(' ') }} +{% endif %} + [neutron] cleaning_network = {{ kolla_ironic_cleaning_network }} inspection_network = {{ kolla_ironic_inspection_network }} diff --git a/doc/source/configuration/reference/ironic-python-agent.rst b/doc/source/configuration/reference/ironic-python-agent.rst index 3d79d10e9..401fa2225 100644 --- a/doc/source/configuration/reference/ironic-python-agent.rst +++ b/doc/source/configuration/reference/ironic-python-agent.rst @@ -161,12 +161,12 @@ Bifrost can be configured to use ``dynamic-login`` with the The updated configuration is applied with ``kayobe seed service deploy``. Overcloud Ironic can be configured with the -``kolla_ironic_pxe_append_params_extra`` variable: +``kolla_ironic_kernel_append_params_extra`` variable: .. code-block:: yaml :caption: ``ironic.yml`` - kolla_ironic_pxe_append_params_extra: + kolla_ironic_kernel_append_params_extra: - sshkey="ssh-rsa BBA1..." The updated configuration is applied with ``kayobe overcloud service deploy``. diff --git a/etc/kayobe/ironic.yml b/etc/kayobe/ironic.yml index 311a75695..442c5411f 100644 --- a/etc/kayobe/ironic.yml +++ b/etc/kayobe/ironic.yml @@ -109,6 +109,14 @@ # List of kernel parameters to append for baremetal PXE boot. #kolla_ironic_pxe_append_params: +# List of default kernel parameters to append for baremetal boot. +#kolla_ironic_kernel_append_params_default: + +# List of additional kernel parameters to append for baremetal boot. +#kolla_ironic_kernel_append_params_extra: + +# List of kernel parameters to append for baremetal boot. +#kolla_ironic_kernel_append_params: ############################################################################### # Ironic Node Configuration diff --git a/playbooks/kayobe-overcloud-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-base/overrides.yml.j2 index c13f16f1a..a0a46b5c6 100644 --- a/playbooks/kayobe-overcloud-base/overrides.yml.j2 +++ b/playbooks/kayobe-overcloud-base/overrides.yml.j2 @@ -52,7 +52,7 @@ compute_libvirt_enable_tls: true kolla_enable_tls_external: "yes" kolla_enable_tls_internal: "yes" -kolla_ironic_pxe_append_params_extra: +kolla_ironic_kernel_append_params_extra: - ipa-insecure=1 {% endif %} diff --git a/releasenotes/notes/add-redfish-pxe-args-for-virtual-media-1446188235feaaac.yaml b/releasenotes/notes/add-redfish-pxe-args-for-virtual-media-1446188235feaaac.yaml new file mode 100644 index 000000000..24837912e --- /dev/null +++ b/releasenotes/notes/add-redfish-pxe-args-for-virtual-media-1446188235feaaac.yaml @@ -0,0 +1,12 @@ +--- +features: + - | + Adds support for Redfish virtual media and + PXE boot using a common set of variables. + Migration to using + ``kolla_ironic_kernel_append_params`` is + advised. + New boot variables are: + kolla_ironic_kernel_append_params, + kolla_ironic_kernel_append_params_default, + kolla_ironic_kernel_append_params_extra. From ddae801cba3da532854f9d3495a9cede1913a848 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 15 Oct 2025 09:16:54 +0200 Subject: [PATCH 097/187] Switch default Kolla images for centos/rocky 10 Change-Id: Ia040773a30e3f479402de6261eaaa62a93a1a29b Signed-off-by: Pierre Riteau --- ansible/inventory/group_vars/all/kolla | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/inventory/group_vars/all/kolla b/ansible/inventory/group_vars/all/kolla index f20c0e5fd..ad5942be8 100644 --- a/ansible/inventory/group_vars/all/kolla +++ b/ansible/inventory/group_vars/all/kolla @@ -63,9 +63,9 @@ kolla_base_distro: "{{ os_distribution }}" # Kolla base container image distribution version default map. # Defines default versions for each distribution. kolla_base_distro_version_default_map: { - "centos": "stream9", + "centos": "stream10", "debian": "bookworm", - "rocky": "9", + "rocky": "10", "ubuntu": "noble", } From b34e7f9dd137dcd1de7235feef3572b42073dd3b Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 2 Oct 2025 18:08:12 +0200 Subject: [PATCH 098/187] CI: Add more centos/rocky 10 jobs Depends-On: https://review.opendev.org/c/openstack/ansible-collection-kolla/+/961237 Change-Id: Id50444efffc0c9806614620eac049a12408dcbae Signed-off-by: Pierre Riteau --- zuul.d/jobs.yaml | 49 +++++++++++++++++++++++++++++++++++++++++++++ zuul.d/project.yaml | 13 ++++++++++++ 2 files changed, 62 insertions(+) diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index 28429bffb..19b877921 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -127,6 +127,12 @@ nodeset: kayobe-centos9s voting: false +- job: + name: kayobe-overcloud-centos10s + parent: kayobe-overcloud-base + nodeset: kayobe-centos10s + voting: false + - job: name: kayobe-overcloud-rocky9 parent: kayobe-overcloud-base @@ -141,6 +147,20 @@ vars: container_engine: podman +- job: + name: kayobe-overcloud-rocky10 + parent: kayobe-overcloud-base + vars: + kayobe_control_host_become: false + nodeset: kayobe-rocky10 + +- job: + name: kayobe-overcloud-rocky10-podman + parent: kayobe-overcloud-base + nodeset: kayobe-rocky10 + vars: + container_engine: podman + - job: name: kayobe-overcloud-ubuntu-noble parent: kayobe-overcloud-base @@ -167,11 +187,22 @@ nodeset: kayobe-centos9s voting: false +- job: + name: kayobe-overcloud-tls-centos10s + parent: kayobe-overcloud-tls-base + nodeset: kayobe-centos10s + voting: false + - job: name: kayobe-overcloud-tls-rocky9 parent: kayobe-overcloud-tls-base nodeset: kayobe-rocky9 +- job: + name: kayobe-overcloud-tls-rocky10 + parent: kayobe-overcloud-tls-base + nodeset: kayobe-rocky10 + - job: name: kayobe-overcloud-upgrade-base parent: kayobe-base @@ -223,6 +254,12 @@ nodeset: kayobe-centos9s voting: false +- job: + name: kayobe-seed-centos10s + parent: kayobe-seed-base + nodeset: kayobe-centos10s + voting: false + - job: name: kayobe-seed-rocky9 parent: kayobe-seed-base @@ -235,6 +272,18 @@ vars: container_engine: podman +- job: + name: kayobe-seed-rocky10 + parent: kayobe-seed-base + nodeset: kayobe-rocky10 + +- job: + name: kayobe-seed-rocky10-podman + parent: kayobe-seed-base + nodeset: kayobe-rocky10 + vars: + container_engine: podman + - job: name: kayobe-seed-ubuntu-noble parent: kayobe-seed-base diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index ef66352bf..a51b1c6cd 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -18,9 +18,14 @@ - kayobe-overcloud-host-configure-rocky10 - kayobe-overcloud-host-configure-rocky9 - kayobe-overcloud-host-configure-ubuntu-noble + - kayobe-overcloud-rocky10 + - kayobe-overcloud-rocky10-podman + - kayobe-overcloud-tls-rocky10 - kayobe-overcloud-ubuntu-noble - kayobe-overcloud-ubuntu-noble-podman - kayobe-overcloud-upgrade-ubuntu-noble + - kayobe-seed-rocky10 + - kayobe-seed-rocky10-podman - kayobe-seed-ubuntu-noble - kayobe-seed-ubuntu-noble-podman - kayobe-seed-upgrade-ubuntu-noble @@ -42,9 +47,14 @@ - kayobe-overcloud-host-configure-rocky10 - kayobe-overcloud-host-configure-rocky9 - kayobe-overcloud-host-configure-ubuntu-noble + - kayobe-overcloud-rocky10 + - kayobe-overcloud-rocky10-podman + - kayobe-overcloud-tls-rocky10 - kayobe-overcloud-ubuntu-noble - kayobe-overcloud-ubuntu-noble-podman - kayobe-overcloud-upgrade-ubuntu-noble + - kayobe-seed-rocky10 + - kayobe-seed-rocky10-podman - kayobe-seed-ubuntu-noble - kayobe-seed-ubuntu-noble-podman - kayobe-seed-upgrade-ubuntu-noble @@ -61,13 +71,16 @@ - kayobe-infra-vm-rocky10-cloud-image - kayobe-infra-vm-rocky9-cloud-image - kayobe-infra-vm-ubuntu-noble-cloud-image + - kayobe-overcloud-centos10s - kayobe-overcloud-centos9s - kayobe-overcloud-host-configure-centos10s - kayobe-overcloud-host-configure-centos9s - kayobe-overcloud-rocky9 - kayobe-overcloud-rocky9-podman + - kayobe-overcloud-tls-centos10s - kayobe-overcloud-tls-rocky9 - kayobe-overcloud-upgrade-rocky9 + - kayobe-seed-centos10s - kayobe-seed-images-centos9s - kayobe-seed-images-rocky9 - kayobe-seed-images-rocky9-podman From fe5c81fbe5aca73b93d80f873abc148e67f055be Mon Sep 17 00:00:00 2001 From: Maksim Malchuk Date: Fri, 17 Oct 2025 16:05:18 +0300 Subject: [PATCH 099/187] Remove default(omit) from Bifrost inventory template The use of default(omit) is for module parameters, not templates. It will generate something like '__omit_place_holder__43ba6b6adb2908224e20a191174d53ef36403cfc'. Closes-Bug: #2045927 Depends-On: https://review.opendev.org/c/openstack/bifrost/+/953336 Change-Id: Ia614645d6b49f10a0c81ae0a0ab2398a9b56912c Signed-off-by: Maksim Malchuk --- ansible/inventory/group_vars/all/bifrost | 4 ++-- ansible/kolla-bifrost-hostvars.yml | 2 +- etc/kayobe/bifrost.yml | 2 +- .../notes/fix-bifrost-invenory-05f8a92915998f09.yaml | 5 +++++ 4 files changed, 9 insertions(+), 4 deletions(-) create mode 100644 releasenotes/notes/fix-bifrost-invenory-05f8a92915998f09.yaml diff --git a/ansible/inventory/group_vars/all/bifrost b/ansible/inventory/group_vars/all/bifrost index 18eb4bb91..76042ff6b 100644 --- a/ansible/inventory/group_vars/all/bifrost +++ b/ansible/inventory/group_vars/all/bifrost @@ -68,8 +68,8 @@ kolla_bifrost_deploy_image_filename: "deployment_image.qcow2" # UUID of the root filesystem contained within the deployment image. # See below URL for instructions on how to extract it: # https://docs.openstack.org/ironic/latest/admin/raid.html#image-requirements -# Default is none. -kolla_bifrost_deploy_image_rootfs: +# Default is an empty string. +kolla_bifrost_deploy_image_rootfs: '' # Custom cloud-init user-data passed to deploy of the deployment image. # Default is an empty string. diff --git a/ansible/kolla-bifrost-hostvars.yml b/ansible/kolla-bifrost-hostvars.yml index ce330fe15..d560e4d0e 100644 --- a/ansible/kolla-bifrost-hostvars.yml +++ b/ansible/kolla-bifrost-hostvars.yml @@ -19,7 +19,7 @@ bifrost_hostvars: addressing_mode: static deploy_image_filename: "{{ kolla_bifrost_deploy_image_filename }}" - deploy_image_rootfs: "{{ kolla_bifrost_deploy_image_rootfs | default(omit, true) }}" + deploy_image_rootfs: "{{ kolla_bifrost_deploy_image_rootfs }}" ipv4_interface_mac: "{% if kolla_bifrost_ipv4_interface_mac is defined %}{{ kolla_bifrost_ipv4_interface_mac }}{% else %}{% raw %}{{ extra.pxe_interface_mac | default }}{% endraw %}{% endif %}" ipv4_address: "{{ admin_oc_net_name | net_ip }}" ipv4_subnet_mask: "{{ admin_oc_net_name | net_mask }}" diff --git a/etc/kayobe/bifrost.yml b/etc/kayobe/bifrost.yml index cf75637e7..8c5e9a501 100644 --- a/etc/kayobe/bifrost.yml +++ b/etc/kayobe/bifrost.yml @@ -69,7 +69,7 @@ # UUID of the root filesystem contained within the deployment image. # See below URL for instructions on how to extract it: # https://docs.openstack.org/ironic/latest/admin/raid.html#image-requirements -# Default is none. +# Default is an empty string. #kolla_bifrost_deploy_image_rootfs: # Custom cloud-init user-data passed to deploy of the deployment image. diff --git a/releasenotes/notes/fix-bifrost-invenory-05f8a92915998f09.yaml b/releasenotes/notes/fix-bifrost-invenory-05f8a92915998f09.yaml new file mode 100644 index 000000000..c616a971a --- /dev/null +++ b/releasenotes/notes/fix-bifrost-invenory-05f8a92915998f09.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fixes issue when Bifrost hostvars file incorectly generated by Kayobe. + `LP#2045927 `__ From 2b875095344b9c029becce3d8f3fb720633fab35 Mon Sep 17 00:00:00 2001 From: Bartosz Bezak Date: Fri, 24 Oct 2025 16:44:04 +0200 Subject: [PATCH 100/187] neutron: Remove support for linux bridge mechanism driver Neutron and kolla already removed it [1][2]. [1] https://review.opendev.org/c/openstack/neutron/+/927216 [2] https://review.opendev.org/c/openstack/kolla-ansible/+/962278 Change-Id: If77366a0f8bb5f6ac3c9951533a2d75c9b0780a9 Signed-off-by: Bartosz Bezak --- ansible/inventory/group_vars/all/kolla | 2 +- ansible/roles/kolla-ansible/templates/kolla/globals.yml | 2 +- releasenotes/notes/remove-linuxbridge-0112ace7c0bff24b.yaml | 5 +++++ 3 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/remove-linuxbridge-0112ace7c0bff24b.yaml diff --git a/ansible/inventory/group_vars/all/kolla b/ansible/inventory/group_vars/all/kolla index ad5942be8..ec74668ff 100644 --- a/ansible/inventory/group_vars/all/kolla +++ b/ansible/inventory/group_vars/all/kolla @@ -208,7 +208,7 @@ overcloud_container_image_regex_map: enabled: "{{ kolla_enable_multipathd | bool }}" - regex: "neutron-\\(server\\|metadata-agent\\)" enabled: "{{ kolla_enable_neutron | bool }}" - - regex: "neutron-\\(dhcp\\|l3\\|linuxbridge\\|openvswitch\\)-agent" + - regex: "neutron-\\(dhcp\\|l3\\|openvswitch\\)-agent" enabled: "{{ kolla_build_neutron_ovs | default(kolla_enable_neutron | bool and not kolla_enable_ovn | bool) }}" - regex: neutron-bgp-dragent enabled: "{{ kolla_enable_neutron_bgp_dragent | bool }}" diff --git a/ansible/roles/kolla-ansible/templates/kolla/globals.yml b/ansible/roles/kolla-ansible/templates/kolla/globals.yml index f8a93be65..a1a01451d 100644 --- a/ansible/roles/kolla-ansible/templates/kolla/globals.yml +++ b/ansible/roles/kolla-ansible/templates/kolla/globals.yml @@ -119,7 +119,7 @@ docker_registry_username: "{{ kolla_docker_registry_username }}" #bifrost_network_address_family: "{% raw %}{{ network_address_family }}{% endraw %}" #dns_address_family: "{% raw %}{{ network_address_family }}{% endraw %}" -# Valid options are [ openvswitch, linuxbridge ] +# Valid options are [ openvswitch, ovn ] neutron_plugin_agent: "{% if kolla_enable_ovn | default(False) | bool %}ovn{% else %}openvswitch{% endif %}" # Valid options are [ internal, infoblox ] diff --git a/releasenotes/notes/remove-linuxbridge-0112ace7c0bff24b.yaml b/releasenotes/notes/remove-linuxbridge-0112ace7c0bff24b.yaml new file mode 100644 index 000000000..f5625e782 --- /dev/null +++ b/releasenotes/notes/remove-linuxbridge-0112ace7c0bff24b.yaml @@ -0,0 +1,5 @@ +--- +upgrade: + - | + Support for Linux Bridge mechanism driver has been removed. The driver was + already removed from neutron. From 5eb4cbc6ffd4324501a82325e63c3b35aafe403d Mon Sep 17 00:00:00 2001 From: Ian Watson Date: Thu, 23 Oct 2025 14:47:25 +0100 Subject: [PATCH 101/187] Account for encoding in _get_direct_url Modifies the method to strip out url-encoding of the file name as well as a better way to gather the path that avoids double slashes Closes-Bug: #2129687 Change-Id: Ia2d2c824c64fce4779d4e38eec155dc020a4ad7e Signed-off-by: Ian Watson --- kayobe/utils.py | 4 +++- .../fix-working-dir-url-encoding-5f50d66547858e37.yaml | 7 +++++++ 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/fix-working-dir-url-encoding-5f50d66547858e37.yaml diff --git a/kayobe/utils.py b/kayobe/utils.py index b70cb1029..ff4c35ca0 100644 --- a/kayobe/utils.py +++ b/kayobe/utils.py @@ -24,6 +24,8 @@ import shutil import subprocess import sys +from urllib.parse import unquote +from urllib.parse import urlparse from ansible.parsing.yaml.loader import AnsibleLoader import yaml @@ -67,7 +69,7 @@ def _get_direct_url_if_editable(dist): url = direct_url_content['url'] prefix = 'file://' if url.startswith(prefix): - return url[len(prefix):] + return unquote(urlparse(url).path) return None diff --git a/releasenotes/notes/fix-working-dir-url-encoding-5f50d66547858e37.yaml b/releasenotes/notes/fix-working-dir-url-encoding-5f50d66547858e37.yaml new file mode 100644 index 000000000..a7ed09bd2 --- /dev/null +++ b/releasenotes/notes/fix-working-dir-url-encoding-5f50d66547858e37.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + Fixes a issue where the working directory contains symbols such + as @. + The previous behaviour tries to load files with url encoded symbols. + `LP#2129687 `__ From 22fc03f15ef2930fe53442b53ac0003216e6ca8b Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 6 Nov 2025 13:04:13 +0100 Subject: [PATCH 102/187] CI: Fix CentOS Stream 10 host configure job The kayobe-overcloud-host-configure-centos10s job was failing with: Traceback (most recent call last): File "/tmp/ansible_pip_payload_zectmelk/ansible_pip_payload.zip/ansible/modules/pip.py", line 310, in from packaging.requirements import Requirement as parse_requirement ModuleNotFoundError: No module named 'packaging' This is resolved by ensuring setuptools is installed, which is the case on other operating system images used in CI. Change-Id: I3f91bc05e46497e37b8cdcea1d283da5a7286a83 Signed-off-by: Pierre Riteau --- playbooks/kayobe-overcloud-host-configure-base/pre.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/playbooks/kayobe-overcloud-host-configure-base/pre.yml b/playbooks/kayobe-overcloud-host-configure-base/pre.yml index 65e0a66f0..58603157a 100644 --- a/playbooks/kayobe-overcloud-host-configure-base/pre.yml +++ b/playbooks/kayobe-overcloud-host-configure-base/pre.yml @@ -3,9 +3,11 @@ vars: testinfra_venv: ~/testinfra-venv tasks: - - name: Ensure python3 is installed + - name: Ensure python3 and setuptools are installed package: - name: python3 + name: + - python3 + - python3-setuptools become: true - name: Install Python3.12 on RHEL derivatives From d5e6a9e782081fb2f89c61fafd67bcf9af3b8567 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 31 Oct 2025 09:41:01 +0100 Subject: [PATCH 103/187] Add centos/rocky 10 seed-images jobs Change-Id: Ia0f7040cfd009ff25c3b4dfa910560eae5eafc23 Signed-off-by: Pierre Riteau --- playbooks/kayobe-seed-base/overrides.yml.j2 | 21 +++++++++++++++++---- zuul.d/jobs.yaml | 20 ++++++++++++++++++++ zuul.d/project.yaml | 6 +++--- 3 files changed, 40 insertions(+), 7 deletions(-) diff --git a/playbooks/kayobe-seed-base/overrides.yml.j2 b/playbooks/kayobe-seed-base/overrides.yml.j2 index 2c4c6213f..8f4987390 100644 --- a/playbooks/kayobe-seed-base/overrides.yml.j2 +++ b/playbooks/kayobe-seed-base/overrides.yml.j2 @@ -1,4 +1,13 @@ --- +{% if ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '10' %} +# Configure EPEL repository. Necessary for gdisk to be available. +# dnf_install_epel and dnf_use_local_mirror are both necessary to trigger +# templating of epel.repo. We use the official EPEL repository because there is +# no OpenDev mirror for EL10. +dnf_install_epel: true +dnf_use_local_mirror: true +{% endif %} + docker_daemon_debug: true # Use alternative registry image to avoid Docker Hub pull rate limit. docker_registry_image_full: "quay.io/libpod/registry:2.8.2" @@ -40,7 +49,9 @@ ipa_build_images: {{ build_images }} ipa_build_dib_elements_extra: # extra-hardware is currently failing on Ubuntu - "{% raw %}{{ 'extra-hardware' if os_distribution != 'ubuntu' else '' }}{% endraw %}" - - "openstack-ci-mirrors" + # Broken openstack-ci-mirrors for CentOS Stream 10. TODO(priteau): Remove + # conditional once https://review.opendev.org/965344 is released. + - "{% raw %}{{ 'openstack-ci-mirrors' if os_distribution != 'centos' else '' }}{% endraw %}" # Workaround for limited tmpfs space in CI ipa_build_dib_env_extra: @@ -49,10 +60,12 @@ ipa_build_dib_env_extra: # Build overcloud host image. overcloud_dib_build_host_images: {{ build_images }} overcloud_dib_elements_extra: - - "openstack-ci-mirrors" + # Broken openstack-ci-mirrors for CentOS Stream 10. TODO(priteau): Remove + # conditional once https://review.opendev.org/965344 is released. + - "{% raw %}{{ 'openstack-ci-mirrors' if os_distribution != 'centos' else '' }}{% endraw %}" -# NOTE(bbezak): Kolla does not build CentOS Stream 9 container images. -# Using Rocky Linux 9 images on CentOS Stream 9 in CI. +# NOTE(bbezak): Kolla does not build CentOS Stream 10 container images. +# Using Rocky Linux 10 images on CentOS Stream 10 in CI. kolla_base_distro: "{% raw %}{{ 'rocky' if os_distribution == 'centos' else os_distribution }}{% endraw %}" # Support overriding container_engine diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index 19b877921..2d7272bab 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -312,6 +312,12 @@ nodeset: kayobe-centos9s voting: false +- job: + name: kayobe-seed-images-centos10s + parent: kayobe-seed-images-base + nodeset: kayobe-centos10s + voting: false + # Build only the base container image in the kayobe-seed-images-rocky9 job # which always runs. Use `check experimental` to run the other jobs which build # more images. @@ -331,6 +337,20 @@ vars: container_engine: podman +- job: + name: kayobe-seed-images-rocky10 + parent: kayobe-seed-images-base + nodeset: kayobe-rocky10 + vars: + kayobe_control_host_become: false + +- job: + name: kayobe-seed-images-rocky10-podman + parent: kayobe-seed-images-base + nodeset: kayobe-rocky10 + vars: + container_engine: podman + - job: name: kayobe-seed-images-ubuntu-noble parent: kayobe-seed-images-base diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 17b729553..8303a77a9 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -77,9 +77,9 @@ - kayobe-overcloud-tls-rocky9 - kayobe-overcloud-upgrade-rocky9 - kayobe-seed-centos10s - - kayobe-seed-images-centos9s - - kayobe-seed-images-rocky9 - - kayobe-seed-images-rocky9-podman + - kayobe-seed-images-centos10s + - kayobe-seed-images-rocky10 + - kayobe-seed-images-rocky10-podman - kayobe-seed-images-ubuntu-noble - kayobe-seed-images-ubuntu-noble-podman - kayobe-seed-rocky9 From 15353c00b3399cb6b94874d0d508cf0874addbef Mon Sep 17 00:00:00 2001 From: Thomas Sell Date: Tue, 4 Nov 2025 18:06:45 +0100 Subject: [PATCH 104/187] Always call virtualenv as a Python module during setup Closes-Bug: #2130643 Change-Id: I39eec23d9ca3f8fe9b8d7e9693082ef5841dcffa Signed-off-by: Thomas Sell --- ansible/baremetal-compute-introspection-data-save.yml | 2 +- ansible/baremetal-compute-rename.yml | 3 ++- ansible/baremetal-compute-serial-console.yml | 3 ++- .../notes/fix-baremetal-serial-venv-946b4b7dd191662b.yaml | 5 +++++ 4 files changed, 10 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/fix-baremetal-serial-venv-946b4b7dd191662b.yaml diff --git a/ansible/baremetal-compute-introspection-data-save.yml b/ansible/baremetal-compute-introspection-data-save.yml index 85f17ce31..0d07932a2 100644 --- a/ansible/baremetal-compute-introspection-data-save.yml +++ b/ansible/baremetal-compute-introspection-data-save.yml @@ -8,11 +8,11 @@ - name: Set up openstack cli virtualenv pip: virtualenv: "{{ venv }}" - virtualenv_command: python3 -m venv name: - python-openstackclient - python-ironic-inspector-client state: latest + virtualenv_command: python3.{{ ansible_facts.python.version.minor }} -m venv extra_args: "{% if pip_upper_constraints_file %}-c {{ pip_upper_constraints_file }}{% endif %}" - name: Ensure the baremetal compute nodes' hardware introspection data is saved diff --git a/ansible/baremetal-compute-rename.yml b/ansible/baremetal-compute-rename.yml index d1ec5ddf8..b2dd3330c 100644 --- a/ansible/baremetal-compute-rename.yml +++ b/ansible/baremetal-compute-rename.yml @@ -5,7 +5,7 @@ - name: Rename baremetal compute nodes hosts: controllers[0] - gather_facts: False + gather_facts: True vars: venv: "{{ virtualenv_path }}/openstack-cli" pre_tasks: @@ -16,6 +16,7 @@ - python-openstackclient - python-ironicclient state: latest + virtualenv_command: "python3.{{ ansible_facts.python.version.minor }} -m venv" extra_args: "{% if pip_upper_constraints_file %}-c {{ pip_upper_constraints_file }}{% endif %}" - name: Rename baremetal compute nodes diff --git a/ansible/baremetal-compute-serial-console.yml b/ansible/baremetal-compute-serial-console.yml index f87c6dc8b..9de0ae976 100644 --- a/ansible/baremetal-compute-serial-console.yml +++ b/ansible/baremetal-compute-serial-console.yml @@ -5,7 +5,7 @@ - name: Setup OpenStack Environment hosts: controllers[0] - gather_facts: False + gather_facts: True vars: venv: "{{ virtualenv_path }}/openstack-cli" pre_tasks: @@ -16,6 +16,7 @@ - python-openstackclient - python-ironicclient state: latest + virtualenv_command: "python3.{{ ansible_facts.python.version.minor }} -m venv" extra_args: "{% if pip_upper_constraints_file %}-c {{ pip_upper_constraints_file }}{% endif %}" - block: diff --git a/releasenotes/notes/fix-baremetal-serial-venv-946b4b7dd191662b.yaml b/releasenotes/notes/fix-baremetal-serial-venv-946b4b7dd191662b.yaml new file mode 100644 index 000000000..71e999ee6 --- /dev/null +++ b/releasenotes/notes/fix-baremetal-serial-venv-946b4b7dd191662b.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Call virtualenv as a Python module during baremetal compute serial console + setup to fix ``executable not found`` error on Rocky Linux. From 2f8cc7bec13180e247a4491eb5ae69621a50bf4e Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Fri, 17 Oct 2025 16:05:10 +0000 Subject: [PATCH 105/187] Replace local_action with delegate to localhost In preparation for the ansible bump: [DEPRECATION WARNING]: Using a mapping for `action` is deprecated. This feature will be removed from ansible-core version 2.23. Origin: /home/ubuntu/kayobe/ansible/roles/ssh-known-host/tasks/main.yml:31:5 29 - name: Ensure SSH keys are in known hosts 30 local_action: 31 module: known_hosts ^ column 5 Use a string value for `action`. Change-Id: I9ac26db07f68ecd3859412d3d33a964342be4cd0 Signed-off-by: Will Szumski --- ...baremetal-compute-introspection-data-save.yml | 8 ++++---- ansible/docker-registry.yml | 2 +- ansible/drac-facts.yml | 8 ++++---- ansible/dump-config.yml | 16 ++++++++-------- ansible/opensm.yml | 2 +- ansible/overcloud-introspection-data-save.yml | 8 ++++---- ansible/overcloud-inventory-discover.yml | 4 ++-- ansible/overcloud-provision.yml | 4 ++-- ansible/roles/console-allocation/tasks/main.yml | 4 ++-- ansible/roles/dell-switch/tasks/main.yml | 12 ++++++------ ansible/roles/ip-allocation/tasks/main.yml | 4 ++-- ansible/roles/junos-switch/tasks/main.yml | 4 ++-- .../molecule/enable-everything/prepare.yml | 16 ++++++++-------- ansible/roles/ssh-known-host/tasks/main.yml | 8 ++++---- ansible/seed-manage-containers.yml | 4 ++-- ansible/seed-vm-provision.yml | 4 ++-- requirements.yml | 6 ++++++ 17 files changed, 60 insertions(+), 54 deletions(-) diff --git a/ansible/baremetal-compute-introspection-data-save.yml b/ansible/baremetal-compute-introspection-data-save.yml index 0d07932a2..505349e5a 100644 --- a/ansible/baremetal-compute-introspection-data-save.yml +++ b/ansible/baremetal-compute-introspection-data-save.yml @@ -44,14 +44,14 @@ ansible_host: "{{ hostvars[controller_host].ansible_host | default(controller_host) }}" - name: Ensure introspection data output directory exists - local_action: - module: file + delegate_to: localhost + file: path: "{{ output_dir }}" state: directory - name: Ensure introspection data is saved locally - local_action: - module: copy + delegate_to: localhost + copy: content: "{{ introspection_data_map[output_format | lower] }}" dest: "{{ output_dir }}/{{ inventory_hostname }}.{{ output_format | lower }}" when: save_result.rc == 0 diff --git a/ansible/docker-registry.yml b/ansible/docker-registry.yml index c721e023a..2fb05bb90 100644 --- a/ansible/docker-registry.yml +++ b/ansible/docker-registry.yml @@ -12,5 +12,5 @@ - docker-registry roles: - role: docker-registry - docker_registry_action: "{{ kayobe_action }}" + docker_registry_action: "{{ kayobe_action | default('deploy') }}" docker_registry_config_path: "{{ config_path }}/docker-registry" diff --git a/ansible/drac-facts.yml b/ansible/drac-facts.yml index 41bf7e486..83af97d00 100644 --- a/ansible/drac-facts.yml +++ b/ansible/drac-facts.yml @@ -11,8 +11,8 @@ - role: stackhpc.drac-facts tasks: - name: Gather facts via DRAC - local_action: - module: drac_facts + delegate_to: localhost + drac_facts: address: "{{ ipmi_address }}" username: "{{ ipmi_username }}" password: "{{ ipmi_password }}" @@ -23,7 +23,7 @@ var: result - name: Write facts to a file - local_action: - module: copy + delegate_to: localhost + copy: content: "{{ result }}" dest: "/tmp/drac-facts-{{ inventory_hostname }}.json" diff --git a/ansible/dump-config.yml b/ansible/dump-config.yml index 46ebc089f..f740a063a 100644 --- a/ansible/dump-config.yml +++ b/ansible/dump-config.yml @@ -20,27 +20,27 @@ dump_hosts: all tasks: - name: Create configuration dump directory - local_action: - module: file + delegate_to: localhost + file: path: "{{ dump_path }}" state: directory - name: Write host config to file - local_action: - module: copy + delegate_to: localhost + copy: content: "{{ hostvars[inventory_hostname] | to_nice_yaml }}" dest: "{{ dump_path }}/{{ inventory_hostname }}.yml" when: dump_var_name is not defined - name: Write host variable to file - local_action: - module: copy + delegate_to: localhost + copy: content: "{{ hostvars[inventory_hostname][dump_var_name] | to_nice_yaml }}" dest: "{{ dump_path }}/{{ inventory_hostname }}.yml" when: dump_var_name is defined # - name: Write merged config to file -# local_action: -# module: copy +# delegate_to: localhost +# copy: # content: "{{ hostvars | merge_config | to_nice_yaml }}" # dest: "{{ dump_path }}/merged.yml diff --git a/ansible/opensm.yml b/ansible/opensm.yml index bee7e5175..19b94dd9d 100644 --- a/ansible/opensm.yml +++ b/ansible/opensm.yml @@ -12,4 +12,4 @@ - opensm roles: - role: opensm - opensm_action: "{{ kayobe_action }}" + opensm_action: "{{ kayobe_action | default('deploy') }}" diff --git a/ansible/overcloud-introspection-data-save.yml b/ansible/overcloud-introspection-data-save.yml index 236a06bbb..284a899f2 100644 --- a/ansible/overcloud-introspection-data-save.yml +++ b/ansible/overcloud-introspection-data-save.yml @@ -38,14 +38,14 @@ become: "{{ container_engine == 'podman' }}" - name: Ensure introspection data output directory exists - local_action: - module: file + delegate_to: localhost + file: path: "{{ output_dir }}" state: directory - name: Ensure introspection data is saved locally - local_action: - module: copy + delegate_to: localhost + copy: content: "{{ introspection_data_map[output_format | lower] }}" dest: "{{ output_dir }}/{{ inventory_hostname }}.{{ output_format | lower }}" when: save_result.rc == 0 diff --git a/ansible/overcloud-inventory-discover.yml b/ansible/overcloud-inventory-discover.yml index cabcaa5fd..c41466a53 100644 --- a/ansible/overcloud-inventory-discover.yml +++ b/ansible/overcloud-inventory-discover.yml @@ -23,8 +23,8 @@ ironic_inventory: "{{ inventory_result.stdout | from_json }}" - name: Ensure Kayobe overcloud inventory exists - local_action: - module: copy + delegate_to: localhost + copy: content: | # Managed by Ansible - do not edit. # This is the Kayobe overcloud inventory, autogenerated from the seed diff --git a/ansible/overcloud-provision.yml b/ansible/overcloud-provision.yml index 6b49a6fa0..424b45756 100644 --- a/ansible/overcloud-provision.yml +++ b/ansible/overcloud-provision.yml @@ -221,8 +221,8 @@ - final_provision_state != 'active' - name: Wait for SSH access to the nodes - local_action: - module: wait_for + delegate_to: localhost + wait_for: host: "{{ ansible_host }}" port: 22 state: started diff --git a/ansible/roles/console-allocation/tasks/main.yml b/ansible/roles/console-allocation/tasks/main.yml index 2445181b7..cb67e2f12 100644 --- a/ansible/roles/console-allocation/tasks/main.yml +++ b/ansible/roles/console-allocation/tasks/main.yml @@ -35,8 +35,8 @@ # NOTE(mgoddard): Use the Python interpreter used to run ansible-playbook, # since this has Python dependencies available to it (PyYAML). ansible_python_interpreter: "{{ ansible_playbook_python }}" - local_action: - module: console_allocation + delegate_to: localhost + console_allocation: allocation_file: "{{ console_allocation_filename }}" nodes: "{{ console_allocation_ironic_nodes }}" allocation_pool_start: "{{ console_allocation_pool_start }}" diff --git a/ansible/roles/dell-switch/tasks/main.yml b/ansible/roles/dell-switch/tasks/main.yml index fc3d6268e..958b04b71 100644 --- a/ansible/roles/dell-switch/tasks/main.yml +++ b/ansible/roles/dell-switch/tasks/main.yml @@ -1,23 +1,23 @@ --- - name: Ensure DellOS6 switches are configured - local_action: - module: dellos6_config + delegate_to: localhost + dellemc.os6.os6: provider: "{{ dell_switch_provider }}" src: "{{ lookup('template', 'dellos6-config.j2') }}" save: "{{ dell_switch_save | bool }}" when: dell_switch_type == 'dellos6' - name: Ensure DellOS9 switches are configured - local_action: - module: dellos9_config + delegate_to: localhost + dellemc.os9.os9: provider: "{{ dell_switch_provider }}" src: "{{ lookup('template', 'dellos9-config.j2') }}" save: "{{ dell_switch_save | bool }}" when: dell_switch_type == 'dellos9' - name: Ensure DellOS10 switches are configured - local_action: - module: dellos10_config + delegate_to: localhost + dellemc.os10.os10: provider: "{{ dell_switch_provider }}" src: "{{ lookup('template', 'dellos10-config.j2') }}" save: "{{ dell_switch_save | bool }}" diff --git a/ansible/roles/ip-allocation/tasks/main.yml b/ansible/roles/ip-allocation/tasks/main.yml index 93360a00c..a30457be5 100644 --- a/ansible/roles/ip-allocation/tasks/main.yml +++ b/ansible/roles/ip-allocation/tasks/main.yml @@ -4,8 +4,8 @@ # NOTE(mgoddard): Use the Python interpreter used to run ansible-playbook, # since this has Python dependencies available to it (PyYAML). ansible_python_interpreter: "{{ ansible_playbook_python }}" - local_action: - module: ip_allocation + delegate_to: localhost + ip_allocation: allocation_file: "{{ ip_allocation_filename }}" hostname: "{{ ip_allocation_hostname }}" net_name: "{{ item.net_name }}" diff --git a/ansible/roles/junos-switch/tasks/main.yml b/ansible/roles/junos-switch/tasks/main.yml index d5fea0cce..c76f006f1 100644 --- a/ansible/roles/junos-switch/tasks/main.yml +++ b/ansible/roles/junos-switch/tasks/main.yml @@ -6,8 +6,8 @@ # NOTE(mgoddard): 0.6.7 includes a fix for host key checking: # https://github.com/ncclient/ncclient/issues/302. ncclient_version: ">=0.6.7,<0.7.0" - local_action: - module: pip + delegate_to: localhost + pip: name: "ncclient{{ ncclient_version }}" virtualenv: "{{ lookup('env', 'VIRTUAL_ENV') | default(omit, true) }}" become: "{{ lookup('env', 'VIRTUAL_ENV') == None }}" diff --git a/ansible/roles/kolla-openstack/molecule/enable-everything/prepare.yml b/ansible/roles/kolla-openstack/molecule/enable-everything/prepare.yml index a39c596c9..4e945b3aa 100644 --- a/ansible/roles/kolla-openstack/molecule/enable-everything/prepare.yml +++ b/ansible/roles/kolla-openstack/molecule/enable-everything/prepare.yml @@ -4,8 +4,8 @@ gather_facts: false tasks: - name: Ensure ironic inspector kernel and ramdisk image directory exists - local_action: - module: file + delegate_to: localhost + file: path: "{{ item | dirname }}" state: directory recurse: true @@ -18,8 +18,8 @@ # versions of docker. Using non-empty files seems to resolve the issue. # See https://github.com/ansible/ansible/issues/36725. - name: Ensure ironic inspector kernel and ramdisk images exist - local_action: - module: copy + delegate_to: localhost + copy: content: fake image dest: "{{ item }}" with_items: @@ -117,8 +117,8 @@ label: "{{ item.dest }}" - name: Ensure nova libvirt certificates directory exists - local_action: - module: file + delegate_to: localhost + file: path: "{{ kolla_nova_libvirt_certificates_src }}" state: directory @@ -127,8 +127,8 @@ # versions of docker. Using non-empty files seems to resolve the issue. # See https://github.com/ansible/ansible/issues/36725. - name: Ensure nova libvirt certificates exist - local_action: - module: copy + delegate_to: localhost + copy: content: fake cert dest: "{{ kolla_nova_libvirt_certificates_src }}/{{ item }}" with_items: diff --git a/ansible/roles/ssh-known-host/tasks/main.yml b/ansible/roles/ssh-known-host/tasks/main.yml index a59ceffc1..75257f71c 100644 --- a/ansible/roles/ssh-known-host/tasks/main.yml +++ b/ansible/roles/ssh-known-host/tasks/main.yml @@ -16,8 +16,8 @@ # NOTE(priteau): Exclude comments from ssh-keyscan output because they break # known_hosts on centos/rocky 10. - name: Scan for SSH keys - local_action: - module: shell ssh-keyscan {{ item }} | grep -v '^#' + delegate_to: localhost + shell: ssh-keyscan {{ item }} | grep -v '^#' with_items: - "{{ ansible_host | default(inventory_hostname) }}" register: keyscan_result @@ -27,8 +27,8 @@ # concurrently, and some keys can end up being dropped. For more details see # https://github.com/ansible/proposals/issues/113 - name: Ensure SSH keys are in known hosts - local_action: - module: known_hosts + delegate_to: localhost + known_hosts: host: "{{ item[0].item }}" key: "{{ item[1] }}" with_subelements: diff --git a/ansible/seed-manage-containers.yml b/ansible/seed-manage-containers.yml index dd81a079b..10cd6c0ab 100644 --- a/ansible/seed-manage-containers.yml +++ b/ansible/seed-manage-containers.yml @@ -1,10 +1,10 @@ --- -- name: "Ensure defined container images are {{ kayobe_action }}ed on seed node" +- name: "Ensure defined container images are {{ kayobe_action | default('deploy') }}ed on seed node" hosts: seed tags: - seed-deploy-containers - seed-manage-containers vars: - manage_containers_action: "{{ kayobe_action }}" + manage_containers_action: "{{ kayobe_action | default('deploy') }}" roles: - role: manage-containers diff --git a/ansible/seed-vm-provision.yml b/ansible/seed-vm-provision.yml index 1424cc5b0..87a142121 100644 --- a/ansible/seed-vm-provision.yml +++ b/ansible/seed-vm-provision.yml @@ -124,8 +124,8 @@ console_log_enabled: true tasks: - name: Wait for SSH access to the seed VM - local_action: - module: wait_for + delegate_to: localhost + wait_for: host: "{{ hostvars[seed_host].ansible_host }}" port: 22 state: started diff --git a/requirements.yml b/requirements.yml index ef419f34d..b87c418c3 100644 --- a/requirements.yml +++ b/requirements.yml @@ -5,6 +5,12 @@ collections: version: master - name: community.docker version: 3.11.0 + - name: community.network + version: 5.1.0 + - name: dellemc.os6 + version: 1.0.7 + - name: dellemc.os9 + version: 1.0.4 - name: dellemc.os10 version: 1.2.7 - name: nvidia.nvue From a6e29d219cdbbbbc5730799e16d31c5e4496bf09 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 12 Nov 2025 12:59:32 +0100 Subject: [PATCH 106/187] Drop support for CentOS Stream 9 and Rocky Linux 9 CentOS Stream 9 and Rocky Linux 9 are no longer supported as host operating systems or base container images. This also drops all the related testing in CI. Note that IPA images still use CentOS Stream 9 until images built on CentOS Stream 10 are fully validated. Change-Id: I3f0eccec38c644484ffc27891e844cdf05cb28bd Signed-off-by: Pierre Riteau --- ansible/inventory/group_vars/all/globals | 11 +- ansible/inventory/group_vars/all/infra-vms | 14 +- ansible/inventory/group_vars/all/seed-vm | 14 +- ansible/roles/kolla-ansible/vars/RedHat.yml | 4 +- dev/functions | 20 +-- .../configuration/reference/bifrost.rst | 2 +- .../configuration/reference/network.rst | 9 +- .../reference/os-distribution.rst | 8 +- .../configuration/reference/overcloud-dib.rst | 2 +- doc/source/contributor/testing.rst | 2 +- doc/source/installation.rst | 4 +- doc/source/resources.rst | 11 +- doc/source/support-matrix.rst | 16 +- etc/kayobe/globals.yml | 6 +- etc/kayobe/infra-vms.yml | 6 +- etc/kayobe/seed-vm.yml | 6 +- kayobe/plugins/filter/networks.py | 6 +- .../infra-vms-group-vars.j2 | 2 +- .../kayobe-overcloud-base/overrides.yml.j2 | 4 +- .../overrides.yml.j2 | 15 -- .../pre.yml | 13 +- .../kayobe-seed-vm-base/seed-group-vars.j2 | 2 +- .../notes/rocky-10-8d56e4bfffe39c08.yaml | 14 ++ zuul.d/jobs.yaml | 168 +----------------- zuul.d/nodesets.yaml | 12 -- zuul.d/project.yaml | 26 +-- 26 files changed, 78 insertions(+), 319 deletions(-) create mode 100644 releasenotes/notes/rocky-10-8d56e4bfffe39c08.yaml diff --git a/ansible/inventory/group_vars/all/globals b/ansible/inventory/group_vars/all/globals index 492307337..719368a6f 100644 --- a/ansible/inventory/group_vars/all/globals +++ b/ansible/inventory/group_vars/all/globals @@ -52,13 +52,12 @@ kayobe_ansible_user: "stack" # is "rocky". os_distribution: "rocky" -# OS release. Valid options are "9-stream" and "10-stream" (with "9-stream" -# being the default) when os_distribution is "centos", "9" and "10" (with "9" -# being the default) when os_distribution is "rocky", or "noble" when -# os_distribution is "ubuntu". +# OS release. Valid options are "10-stream" when os_distribution is "centos", +# "10" when os_distribution is "rocky", or "noble" when os_distribution is +# "ubuntu". os_release: >- - {{ '9-stream' if os_distribution == 'centos' - else '9' if os_distribution == 'rocky' + {{ '10-stream' if os_distribution == 'centos' + else '10' if os_distribution == 'rocky' else 'noble' }} ############################################################################### diff --git a/ansible/inventory/group_vars/all/infra-vms b/ansible/inventory/group_vars/all/infra-vms index ea0527e3d..58b91b97a 100644 --- a/ansible/inventory/group_vars/all/infra-vms +++ b/ansible/inventory/group_vars/all/infra-vms @@ -43,30 +43,18 @@ infra_vm_root_format: qcow2 # Base image for the infra VM root volume. Default is # "https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img" # when os_distribution is "ubuntu", -# "https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2" -# when os_distribution is "rocky" and os_release is "9", # "https://dl.rockylinux.org/pub/rocky/10/images/x86_64/Rocky-10-GenericCloud-Base.latest.x86_64.qcow2" -# when os_distribution is "rocky" and os_release is "10", -# "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-9-latest.x86_64.qcow2" -# when os_distribution is "centos" and os_release is "9-stream", or +# when os_distribution is "rocky", or # "https://cloud.centos.org/centos/10-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-10-latest.x86_64.qcow2" # otherwise. infra_vm_root_image: >- {%- if os_distribution == 'ubuntu' %} https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img {%- elif os_distribution == 'rocky' %} - {%- if os_release == '9' %} - https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2 - {%- else -%} https://dl.rockylinux.org/pub/rocky/10/images/x86_64/Rocky-10-GenericCloud-Base.latest.x86_64.qcow2 - {%- endif %} - {%- else -%} - {%- if os_release == '9-stream' %} - https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-9-latest.x86_64.qcow2 {%- else -%} https://cloud.centos.org/centos/10-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-10-latest.x86_64.qcow2 {%- endif %} - {%- endif %} # Capacity of the infra VM data volume. infra_vm_data_capacity: 100G diff --git a/ansible/inventory/group_vars/all/seed-vm b/ansible/inventory/group_vars/all/seed-vm index 4283c413e..674d0384b 100644 --- a/ansible/inventory/group_vars/all/seed-vm +++ b/ansible/inventory/group_vars/all/seed-vm @@ -43,30 +43,18 @@ seed_vm_root_format: qcow2 # Base image for the seed VM root volume. Default is # "https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img" # when os_distribution is "ubuntu", -# "https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2" -# when os_distribution is "rocky" and os_release is "9", # "https://dl.rockylinux.org/pub/rocky/10/images/x86_64/Rocky-10-GenericCloud-Base.latest.x86_64.qcow2" -# when os_distribution is "rocky" and os_release is "10", -# "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-9-latest.x86_64.qcow2" -# when os_distribution is "centos" and os_release is "9-stream", or +# when os_distribution is "rocky", or # "https://cloud.centos.org/centos/10-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-10-latest.x86_64.qcow2" # otherwise. seed_vm_root_image: >- {%- if os_distribution == 'ubuntu' %} https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img {%- elif os_distribution == 'rocky' %} - {%- if os_release == '9' %} - https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2 - {%- else -%} https://dl.rockylinux.org/pub/rocky/10/images/x86_64/Rocky-10-GenericCloud-Base.latest.x86_64.qcow2 - {%- endif %} - {%- else -%} - {%- if os_release == '9-stream' %} - https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-9-latest.x86_64.qcow2 {%- else -%} https://cloud.centos.org/centos/10-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-10-latest.x86_64.qcow2 {%- endif %} - {%- endif %} # Capacity of the seed VM data volume. seed_vm_data_capacity: 100G diff --git a/ansible/roles/kolla-ansible/vars/RedHat.yml b/ansible/roles/kolla-ansible/vars/RedHat.yml index 008dcd0f5..dd9e59bc3 100644 --- a/ansible/roles/kolla-ansible/vars/RedHat.yml +++ b/ansible/roles/kolla-ansible/vars/RedHat.yml @@ -5,6 +5,6 @@ kolla_ansible_package_dependencies: - git - libffi-devel - openssl-devel - - "{{ 'python3.12' if ansible_facts.distribution_major_version == '9' else 'python3' }}" - - "{{ 'python3.12-devel' if ansible_facts.distribution_major_version == '9' else 'python3-devel' }}" + - python3 + - python3-devel - rsync diff --git a/dev/functions b/dev/functions index d59c28ca6..4a627e2a9 100644 --- a/dev/functions +++ b/dev/functions @@ -141,18 +141,10 @@ function is_yum { fi } -function get_python { - if is_dnf; then - echo python3.12 - else - echo python3 - fi -} - function install_dependencies { echo "Installing package dependencies for kayobe" if is_dnf; then - sudo dnf -y install gcc git vim python3-devel python3-pyyaml libffi-devel python3.12-devel python3.12 python3.12-pyyaml + sudo dnf -y install gcc git vim python3-devel python3-pyyaml libffi-devel elif is_yum; then echo "CentOS 7 is no longer supported" exit 1 @@ -174,7 +166,7 @@ function install_venv { fi if [[ ! -f "${venv_path}/bin/activate" ]]; then echo "Creating virtual environment in ${venv_path}" - $(get_python) -m venv "${venv_path}" + python3 -m venv "${venv_path}" # NOTE: Virtualenv's activate and deactivate scripts reference an # unbound variable. set +u @@ -200,9 +192,7 @@ function install_venv_system_site_packages { fi if [[ ! -f "${venv_path}/bin/activate" ]]; then echo "Creating virtual environment in ${venv_path}" - # NOTE(wszumski): tenks doesn't currently support not using the system python - # interpreter with: "Failed to detect selinux python bindings" - /usr/bin/python3 -m venv --system-site-packages "${venv_path}" + python3 -m venv --system-site-packages "${venv_path}" # NOTE: Virtualenv's activate and deactivate scripts reference an # unbound variable. set +u @@ -228,9 +218,7 @@ function install_kayobe_dev_venv { function upgrade_kayobe_venv { echo "Upgrading kayobe virtual environment in ${KAYOBE_VENV_PATH}" - # NOTE(wszumski): We need to recreate the old virtualenv to switch to python3.12 - rm -rf "${KAYOBE_VENV_PATH}" - $(get_python) -m venv "${KAYOBE_VENV_PATH}" + python3 -m venv "${KAYOBE_VENV_PATH}" # NOTE: Virtualenv's activate and deactivate scripts reference an # unbound variable. set +u diff --git a/doc/source/configuration/reference/bifrost.rst b/doc/source/configuration/reference/bifrost.rst index 90e270f75..4180dd3da 100644 --- a/doc/source/configuration/reference/bifrost.rst +++ b/doc/source/configuration/reference/bifrost.rst @@ -77,7 +77,7 @@ information on building disk images. The default configuration builds a whole disk (partitioned) image using the selected :ref:`OS distribution ` with serial console enabled, -and SELinux disabled if CentOS Stream is used. Rocky Linux 9 users should use +and SELinux disabled if CentOS Stream is used. Rocky Linux 10 users should use the default method of building images with :ref:`Diskimage builder directly `. diff --git a/doc/source/configuration/reference/network.rst b/doc/source/configuration/reference/network.rst index 595d1e110..e134c1343 100644 --- a/doc/source/configuration/reference/network.rst +++ b/doc/source/configuration/reference/network.rst @@ -302,8 +302,7 @@ String format rules (CentOS Stream/Rocky Linux only) The string format of a rule is the string which would be appended to ``ip rule `` to create or delete the rule. Note that when using NetworkManager -(the default since Zed and in Yoga when using Rocky Linux 9) the table must be -specified by ID. +(the default when using Rocky Linux 10) the table must be specified by ID. To configure a network called ``example`` with an IP routing policy rule to handle traffic from the subnet ``10.1.0.0/24`` using the routing table with ID @@ -396,9 +395,9 @@ The following attributes are supported: ``bridge_stp`` .. note:: - For Rocky Linux 9, the ``bridge_stp`` attribute is set to false to preserve - backwards compatibility with network scripts. This is because the Network - Manager sets STP to true by default on bridges. + For Rocky Linux 10, the ``bridge_stp`` attribute is set to false to + preserve backwards compatibility with network scripts. This is because + the Network Manager sets STP to true by default on bridges. Enable or disable the Spanning Tree Protocol (STP) on this bridge. Should be set to a boolean value. The default is not set on Ubuntu systems. diff --git a/doc/source/configuration/reference/os-distribution.rst b/doc/source/configuration/reference/os-distribution.rst index 153f035b0..5f29d95ec 100644 --- a/doc/source/configuration/reference/os-distribution.rst +++ b/doc/source/configuration/reference/os-distribution.rst @@ -15,10 +15,10 @@ or ``rocky`` or ``ubuntu``, and defaults to ``rocky``. The ``os_release`` variable in ``etc/kayobe/globals.yml`` can be used to set the release of the OS. When ``os_distribution`` is set to ``centos`` it may be -set to ``9-stream`` or ``10-stream``, and ``9-stream`` is its default value. -When ``os_distribution`` is set to ``rocky`` it may be set to ``9`` or ``10``, -and ``9`` is its default value. When ``os_distribution`` is set to ``ubuntu`` -it may be set to ``noble``, and this is its default value. +set to ``10-stream``, and this is its default value. When ``os_distribution`` +is set to ``rocky`` it may be set to ``10``, and this is its default value. +When ``os_distribution`` is set to ``ubuntu`` it may be set to ``noble``, and +this is its default value. These variables are used to set various defaults, including: diff --git a/doc/source/configuration/reference/overcloud-dib.rst b/doc/source/configuration/reference/overcloud-dib.rst index 1593e20b4..db537f9a6 100644 --- a/doc/source/configuration/reference/overcloud-dib.rst +++ b/doc/source/configuration/reference/overcloud-dib.rst @@ -34,7 +34,7 @@ how these images are built. Consult the information on building disk images. The default configuration builds a whole disk (partitioned) image using the -selected :ref:`OS distribution ` (Rocky Linux 9 by default) +selected :ref:`OS distribution ` (Rocky Linux 10 by default) with serial console enabled, and SELinux disabled if CentOS Stream or Rocky Linux is used. `Cloud-init `__ is used to process diff --git a/doc/source/contributor/testing.rst b/doc/source/contributor/testing.rst index b11cd4e48..c2ed7088a 100644 --- a/doc/source/contributor/testing.rst +++ b/doc/source/contributor/testing.rst @@ -18,7 +18,7 @@ running kayobe's tests. sudo apt-get install build-essential python3-dev libssl-dev python3-pip git -* Fedora or CentOS Stream 9/Rocky 9/RHEL 9:: +* Fedora or CentOS Stream 10/Rocky 10/RHEL 10:: sudo dnf install python3-devel openssl-devel python3-pip git gcc diff --git a/doc/source/installation.rst b/doc/source/installation.rst index 01fd80f2f..b301e8d18 100644 --- a/doc/source/installation.rst +++ b/doc/source/installation.rst @@ -15,8 +15,8 @@ Prerequisites Currently Kayobe supports the following Operating Systems on the Ansible control host: -- CentOS Stream 9 (since Zed 13.0.0 release) -- Rocky Linux 9 (since Zed 13.0.0 release) +- CentOS Stream 10 (since Flamingo 19.0.0 release) +- Rocky Linux 10 (since Flamingo 19.0.0 release) - Ubuntu Noble 24.04 (since Dalmatian 17.0.0 release) See the :doc:`support matrix ` for details of supported diff --git a/doc/source/resources.rst b/doc/source/resources.rst index 31b67e565..8874f7fc8 100644 --- a/doc/source/resources.rst +++ b/doc/source/resources.rst @@ -22,8 +22,9 @@ OpenStack using Kolla, Ansible and Kayobe. The guide makes use of baremetal environment running on a single hypervisor. To complete the walkthrough you will require a baremetal or VM hypervisor -running CentOS Stream 9, Rocky Linux 9 or Ubuntu Noble 24.04 (since Dalmatian -17.0.0) with at least 32GB RAM & 80GB disk space. Preparing the deployment can -take some time - where possible it is beneficial to snapshot the hypervisor. We -advise making a snapshot after creating the initial 'seed' VM as this will make -additional deployments significantly faster. +running CentOS Stream 10 (since Flamingo 19.0.0), Rocky Linux 10 (since +Flamingo 19.0.0) or Ubuntu Noble 24.04 (since Dalmatian 17.0.0) with at least +32GB RAM & 80GB disk space. Preparing the deployment can take some time - where +possible it is beneficial to snapshot the hypervisor. We advise making a +snapshot after creating the initial 'seed' VM as this will make additional +deployments significantly faster. diff --git a/doc/source/support-matrix.rst b/doc/source/support-matrix.rst index e52fa111c..fe973e3ef 100644 --- a/doc/source/support-matrix.rst +++ b/doc/source/support-matrix.rst @@ -9,22 +9,24 @@ Supported Operating Systems Kayobe supports the following host Operating Systems (OS): -* Rocky Linux 9 (since Zed 13.0.0 release) +* Rocky Linux 10 (since Flamingo 19.0.0 release) * Ubuntu Noble 24.04 (since Dalmatian 17.0.0 release) -In addition to that CentOS Stream 9 host OS is functional, but not officially -supported. Kolla does not publish CentOS Stream 9 images to Docker Hub/Quay.io, +In addition to that CentOS Stream 10 host OS is functional, but not officially +supported. Kolla does not publish CentOS Stream 10 images to Docker Hub/Quay.io, therefore users need to build them by themselves. .. note:: - CentOS Stream 8 is no longer supported as a host OS. The Yoga release - supports both CentOS Stream 8 and 9, and provides a route for migration. + CentOS Stream 9 is no longer supported as a host OS. The 2025.1 Epoxy + release will in future support both CentOS Stream 9 and 10 to provide a + route for migration. .. note:: - Rocky Linux 8 is no longer supported as a host OS. The Yoga release supports - both Rocky Linux 8 and 9, and provides a route for migration. + Rocky Linux 9 is no longer supported as a host OS. The 2025.1 Epoxy release + will in future support both CentOS Stream 9 and 10 to provide a route for + migration. Supported container images ~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/etc/kayobe/globals.yml b/etc/kayobe/globals.yml index bb21aca71..13f340e57 100644 --- a/etc/kayobe/globals.yml +++ b/etc/kayobe/globals.yml @@ -48,9 +48,9 @@ # is "rocky". #os_distribution: -# OS release. Valid options are "9-stream" and "10-stream" (with "9-stream" -# being the default) when os_distribution is "centos", "9" and "10" (with "9" -# being the default) when os_distribution is "rocky", or "noble" when +# OS release. Valid options are "10-stream" when os_distribution is "centos", +# "10" when os_distribution is "rocky", or "noble" when os_distribution is +# "ubuntu". # os_distribution is "ubuntu". #os_release: diff --git a/etc/kayobe/infra-vms.yml b/etc/kayobe/infra-vms.yml index 2b012b8e5..076a3e695 100644 --- a/etc/kayobe/infra-vms.yml +++ b/etc/kayobe/infra-vms.yml @@ -32,12 +32,8 @@ # Base image for the infra VM root volume. Default is # "https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img" # when os_distribution is "ubuntu", -# "https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2" -# when os_distribution is "rocky" and os_release is "9", # "https://dl.rockylinux.org/pub/rocky/10/images/x86_64/Rocky-10-GenericCloud-Base.latest.x86_64.qcow2" -# when os_distribution is "rocky" and os_release is "10", -# "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-9-latest.x86_64.qcow2" -# when os_distribution is "centos" and os_release is "9-stream", or +# when os_distribution is "rocky", or # "https://cloud.centos.org/centos/10-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-10-latest.x86_64.qcow2" # otherwise. #infra_vm_root_image: diff --git a/etc/kayobe/seed-vm.yml b/etc/kayobe/seed-vm.yml index 1a575a10b..86be2708f 100644 --- a/etc/kayobe/seed-vm.yml +++ b/etc/kayobe/seed-vm.yml @@ -32,12 +32,8 @@ # Base image for the seed VM root volume. Default is # "https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img" # when os_distribution is "ubuntu", -# "https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2" -# when os_distribution is "rocky" and os_release is "9", # "https://dl.rockylinux.org/pub/rocky/10/images/x86_64/Rocky-10-GenericCloud-Base.latest.x86_64.qcow2" -# when os_distribution is "rocky" and os_release is "10", -# "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-9-latest.x86_64.qcow2" -# when os_distribution is "centos" and os_release is "9-stream", or +# when os_distribution is "rocky", or # "https://cloud.centos.org/centos/10-stream/x86_64/images/CentOS-Stream-GenericCloud-x86_64-10-latest.x86_64.qcow2" # otherwise. #seed_vm_root_image: diff --git a/kayobe/plugins/filter/networks.py b/kayobe/plugins/filter/networks.py index f949d7982..7c8cff7b1 100644 --- a/kayobe/plugins/filter/networks.py +++ b/kayobe/plugins/filter/networks.py @@ -283,9 +283,9 @@ def net_macaddress(context, name, inventory_hostname=None): def net_bridge_stp(context, name, inventory_hostname=None): """Return the Spanning Tree Protocol (STP) state for a bridge. - On RL9 if STP is not defined, default it to 'false' to preserve - compatibility with network scripts. STP is 'true' in NetworkManager - by default, so we set it to 'false' here. + On RL10 if STP is not defined, default it to 'false' to preserve + compatibility with network scripts. STP is 'true' in NetworkManager by + default, so we set it to 'false' here. :param context: Jinja2 Context object. :param name: The name of the network. diff --git a/playbooks/kayobe-infra-vm-base/infra-vms-group-vars.j2 b/playbooks/kayobe-infra-vm-base/infra-vms-group-vars.j2 index 9ce8d7318..1d30f2122 100644 --- a/playbooks/kayobe-infra-vm-base/infra-vms-group-vars.j2 +++ b/playbooks/kayobe-infra-vm-base/infra-vms-group-vars.j2 @@ -1,5 +1,5 @@ --- -{% if infra_vm_use_cirros | default(true) or ansible_os_family == 'RedHat' and ansible_distribution_major_version == '9' %} +{% if infra_vm_use_cirros | default(true) %} aio_interface: eth0 {% else %} # Required for official cloud images (CentOS Stream 10, Rocky Linux 10, Ubuntu) diff --git a/playbooks/kayobe-overcloud-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-base/overrides.yml.j2 index a0a46b5c6..8f1a2bbec 100644 --- a/playbooks/kayobe-overcloud-base/overrides.yml.j2 +++ b/playbooks/kayobe-overcloud-base/overrides.yml.j2 @@ -56,8 +56,8 @@ kolla_ironic_kernel_append_params_extra: - ipa-insecure=1 {% endif %} -# NOTE(bbezak): Kolla does not build CentOS Stream 9 container images. -# Using Rocky Linux 9 images on CentOS Stream 9 in CI. +# NOTE(bbezak): Kolla does not build CentOS Stream 10 container images. +# Using Rocky Linux 10 images on CentOS Stream 10 in CI. kolla_base_distro: "{% raw %}{{ 'rocky' if os_distribution == 'centos' else os_distribution }}{% endraw %}" # Support overriding container_engine diff --git a/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 index 9e9424981..d2e75f779 100644 --- a/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 +++ b/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 @@ -164,21 +164,6 @@ apt_auth: {% endif %} {% if ansible_facts.os_family == 'RedHat' %} -# NOTE: There are OpenDev mirrors only for centos-stream/9-stream and epel/9. -{% if ansible_facts.distribution_major_version == "9" %} -# Use a local DNF mirror. -dnf_use_local_mirror: true -{% if ansible_facts.distribution == 'CentOS' %} -# Mirror FQDN for DNF repos. -dnf_centos_mirror_host: "{{ zuul_site_mirror_fqdn }}" -# Mirror directory for DNF CentOS repos. -dnf_centos_mirror_directory: 'centos-stream' -{% endif %} -# Mirror FQDN for DNF EPEL repos. -dnf_epel_mirror_host: "{{ zuul_site_mirror_fqdn }}" -# Mirror directory for DNF EPEL repos. -dnf_epel_mirror_directory: 'epel' -{% endif %} # Configure a custom DNF repository. dnf_custom_repos: fluent-package: diff --git a/playbooks/kayobe-overcloud-host-configure-base/pre.yml b/playbooks/kayobe-overcloud-host-configure-base/pre.yml index 58603157a..a0bfb9252 100644 --- a/playbooks/kayobe-overcloud-host-configure-base/pre.yml +++ b/playbooks/kayobe-overcloud-host-configure-base/pre.yml @@ -10,25 +10,14 @@ - python3-setuptools become: true - - name: Install Python3.12 on RHEL derivatives - dnf: - name: - - python3.12 - - python3.12-devel - state: latest - when: ansible_facts.os_family == 'RedHat' - become: true - - name: Ensure testinfra is installed - vars: - cmd: "{{ 'python3.12' if ansible_facts.os_family == 'RedHat' else 'python3' }} -m venv" pip: name: - distro - pytest-testinfra - pytest-html virtualenv: "{{ testinfra_venv }}" - virtualenv_command: "{{ cmd }}" + virtualenv_command: python3 -m venv # NOTE(mgoddard): Use the name zz-30-overrides.yml to ensure this takes # precedence over the standard config files and zz-20-overrides.yml from diff --git a/playbooks/kayobe-seed-vm-base/seed-group-vars.j2 b/playbooks/kayobe-seed-vm-base/seed-group-vars.j2 index 757d3686f..ccf57a4e8 100644 --- a/playbooks/kayobe-seed-vm-base/seed-group-vars.j2 +++ b/playbooks/kayobe-seed-vm-base/seed-group-vars.j2 @@ -1,5 +1,5 @@ --- -{% if seed_vm_use_cirros | default(true) or ansible_os_family == 'RedHat' and ansible_distribution_major_version == '9' %} +{% if seed_vm_use_cirros | default(true) %} aio_interface: eth0 {% else %} # Required for official cloud images (CentOS Stream 10, Rocky Linux 10, Ubuntu) diff --git a/releasenotes/notes/rocky-10-8d56e4bfffe39c08.yaml b/releasenotes/notes/rocky-10-8d56e4bfffe39c08.yaml new file mode 100644 index 000000000..eb5abc988 --- /dev/null +++ b/releasenotes/notes/rocky-10-8d56e4bfffe39c08.yaml @@ -0,0 +1,14 @@ +--- +features: + - | + Adds support for CentOS Stream 10 and Rocky Linux 10 as host operating + systems and base container images. These are the only major versions of + CentOS Stream and Rocky Linux supported from the 2025.2 Flamingo release. + The 2025.1 Epoxy release will support both Rocky Linux 9 and 10 hosts to + provide a route for migration. +upgrade: + - | + CentOS Stream 9 and Rocky Linux 9 are no longer supported as host operating + systems or base container images. Users should migrate to CentOS Stream 10 + or Rocky Linux 10. The 2025.1 Epoxy release will support both Rocky Linux 9 + and 10 hosts to provide a route for migration. diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index 2d7272bab..2af930cf3 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -121,32 +121,12 @@ run: playbooks/kayobe-overcloud-base/run.yml timeout: 7200 -- job: - name: kayobe-overcloud-centos9s - parent: kayobe-overcloud-base - nodeset: kayobe-centos9s - voting: false - - job: name: kayobe-overcloud-centos10s parent: kayobe-overcloud-base nodeset: kayobe-centos10s voting: false -- job: - name: kayobe-overcloud-rocky9 - parent: kayobe-overcloud-base - vars: - kayobe_control_host_become: false - nodeset: kayobe-rocky9 - -- job: - name: kayobe-overcloud-rocky9-podman - parent: kayobe-overcloud-base - nodeset: kayobe-rocky9 - vars: - container_engine: podman - - job: name: kayobe-overcloud-rocky10 parent: kayobe-overcloud-base @@ -181,23 +161,12 @@ tls_enabled: true ironic_boot_mode: "uefi" -- job: - name: kayobe-overcloud-tls-centos9s - parent: kayobe-overcloud-tls-base - nodeset: kayobe-centos9s - voting: false - - job: name: kayobe-overcloud-tls-centos10s parent: kayobe-overcloud-tls-base nodeset: kayobe-centos10s voting: false -- job: - name: kayobe-overcloud-tls-rocky9 - parent: kayobe-overcloud-tls-base - nodeset: kayobe-rocky9 - - job: name: kayobe-overcloud-tls-rocky10 parent: kayobe-overcloud-tls-base @@ -216,9 +185,9 @@ timeout: 10800 - job: - name: kayobe-overcloud-upgrade-rocky9 + name: kayobe-overcloud-upgrade-rocky10 parent: kayobe-overcloud-upgrade-base - nodeset: kayobe-rocky9 + nodeset: kayobe-rocky10 - job: name: kayobe-overcloud-upgrade-ubuntu-noble @@ -226,9 +195,9 @@ nodeset: kayobe-ubuntu-noble - job: - name: kayobe-overcloud-upgrade-slurp-rocky9 + name: kayobe-overcloud-upgrade-slurp-rocky10 parent: kayobe-overcloud-upgrade-base - nodeset: kayobe-rocky9 + nodeset: kayobe-rocky10 - job: name: kayobe-overcloud-upgrade-slurp-ubuntu-noble @@ -248,30 +217,12 @@ vars: build_images: false -- job: - name: kayobe-seed-centos9s - parent: kayobe-seed-base - nodeset: kayobe-centos9s - voting: false - - job: name: kayobe-seed-centos10s parent: kayobe-seed-base nodeset: kayobe-centos10s voting: false -- job: - name: kayobe-seed-rocky9 - parent: kayobe-seed-base - nodeset: kayobe-rocky9 - -- job: - name: kayobe-seed-rocky9-podman - parent: kayobe-seed-base - nodeset: kayobe-rocky9 - vars: - container_engine: podman - - job: name: kayobe-seed-rocky10 parent: kayobe-seed-base @@ -306,37 +257,12 @@ vars: build_images: true -- job: - name: kayobe-seed-images-centos9s - parent: kayobe-seed-images-base - nodeset: kayobe-centos9s - voting: false - - job: name: kayobe-seed-images-centos10s parent: kayobe-seed-images-base nodeset: kayobe-centos10s voting: false -# Build only the base container image in the kayobe-seed-images-rocky9 job -# which always runs. Use `check experimental` to run the other jobs which build -# more images. -- job: - name: kayobe-seed-images-rocky9 - parent: kayobe-seed-images-base - nodeset: kayobe-rocky9 - vars: - overcloud_container_image_regex: "^base" - seed_container_image_regex: "^base" - kayobe_control_host_become: false - -- job: - name: kayobe-seed-images-rocky9-podman - parent: kayobe-seed-images-base - nodeset: kayobe-rocky9 - vars: - container_engine: podman - - job: name: kayobe-seed-images-rocky10 parent: kayobe-seed-images-base @@ -377,23 +303,12 @@ run: playbooks/kayobe-overcloud-host-configure-base/run.yml timeout: 7200 -- job: - name: kayobe-overcloud-host-configure-centos9s - parent: kayobe-overcloud-host-configure-base - nodeset: kayobe-centos9s - voting: false - - job: name: kayobe-overcloud-host-configure-centos10s parent: kayobe-overcloud-host-configure-base nodeset: kayobe-centos10s voting: false -- job: - name: kayobe-overcloud-host-configure-rocky9 - parent: kayobe-overcloud-host-configure-base - nodeset: kayobe-rocky9 - - job: name: kayobe-overcloud-host-configure-rocky10 parent: kayobe-overcloud-host-configure-base @@ -417,9 +332,9 @@ timeout: 5400 - job: - name: kayobe-seed-upgrade-rocky9 + name: kayobe-seed-upgrade-rocky10 parent: kayobe-seed-upgrade-base - nodeset: kayobe-rocky9 + nodeset: kayobe-rocky10 - job: name: kayobe-seed-upgrade-ubuntu-noble @@ -427,9 +342,9 @@ nodeset: kayobe-ubuntu-noble - job: - name: kayobe-seed-upgrade-slurp-rocky9 + name: kayobe-seed-upgrade-slurp-rocky10 parent: kayobe-seed-upgrade-base - nodeset: kayobe-rocky9 + nodeset: kayobe-rocky10 - job: name: kayobe-seed-upgrade-slurp-ubuntu-noble @@ -448,23 +363,12 @@ run: playbooks/kayobe-seed-vm-base/run.yml timeout: 5400 -- job: - name: kayobe-seed-vm-centos9s - parent: kayobe-seed-vm-base - nodeset: kayobe-centos9s - voting: false - - job: name: kayobe-seed-vm-centos10s parent: kayobe-seed-vm-base nodeset: kayobe-centos10s voting: false -- job: - name: kayobe-seed-vm-rocky9 - parent: kayobe-seed-vm-base - nodeset: kayobe-rocky9 - - job: name: kayobe-seed-vm-rocky10 parent: kayobe-seed-vm-base @@ -477,14 +381,6 @@ vars: kayobe_control_host_become: false -- job: - name: kayobe-seed-vm-centos9s-cloud-image - parent: kayobe-seed-vm-base - nodeset: kayobe-centos9s - voting: false - vars: - seed_vm_use_cirros: false - - job: name: kayobe-seed-vm-centos10s-cloud-image parent: kayobe-seed-vm-base @@ -493,13 +389,6 @@ vars: seed_vm_use_cirros: false -- job: - name: kayobe-seed-vm-rocky9-cloud-image - parent: kayobe-seed-vm-base - nodeset: kayobe-rocky9 - vars: - seed_vm_use_cirros: false - - job: name: kayobe-seed-vm-rocky10-cloud-image parent: kayobe-seed-vm-base @@ -523,25 +412,12 @@ vars: seed_vm_machine: q35 -- job: - name: kayobe-seed-vm-centos9s-q35 - parent: kayobe-seed-vm-q35-base - nodeset: kayobe-centos9s - voting: false - - job: name: kayobe-seed-vm-centos10s-q35 parent: kayobe-seed-vm-q35-base nodeset: kayobe-centos10s voting: false -- job: - name: kayobe-seed-vm-rocky9-q35 - parent: kayobe-seed-vm-q35-base - nodeset: kayobe-rocky9 - vars: - kayobe_control_host_become: false - - job: name: kayobe-seed-vm-rocky10-q35 parent: kayobe-seed-vm-q35-base @@ -566,25 +442,12 @@ run: playbooks/kayobe-infra-vm-base/run.yml timeout: 5400 -- job: - name: kayobe-infra-vm-centos9s - parent: kayobe-infra-vm-base - nodeset: kayobe-centos9s - voting: false - - job: name: kayobe-infra-vm-centos10s parent: kayobe-infra-vm-base nodeset: kayobe-centos10s voting: false -- job: - name: kayobe-infra-vm-rocky9 - parent: kayobe-infra-vm-base - nodeset: kayobe-rocky9 - vars: - kayobe_control_host_become: false - - job: name: kayobe-infra-vm-rocky10 parent: kayobe-infra-vm-base @@ -597,14 +460,6 @@ parent: kayobe-infra-vm-base nodeset: kayobe-ubuntu-noble -- job: - name: kayobe-infra-vm-centos9s-cloud-image - parent: kayobe-infra-vm-base - nodeset: kayobe-centos9s - voting: false - vars: - infra_vm_use_cirros: false - - job: name: kayobe-infra-vm-centos10s-cloud-image parent: kayobe-infra-vm-base @@ -613,13 +468,6 @@ vars: infra_vm_use_cirros: false -- job: - name: kayobe-infra-vm-rocky9-cloud-image - parent: kayobe-infra-vm-base - nodeset: kayobe-rocky9 - vars: - infra_vm_use_cirros: false - - job: name: kayobe-infra-vm-rocky10-cloud-image parent: kayobe-infra-vm-base diff --git a/zuul.d/nodesets.yaml b/zuul.d/nodesets.yaml index 3db1e785c..b7bd14d8b 100644 --- a/zuul.d/nodesets.yaml +++ b/zuul.d/nodesets.yaml @@ -1,22 +1,10 @@ --- -- nodeset: - name: kayobe-centos9s - nodes: - - name: primary - label: centos-9-stream - - nodeset: name: kayobe-centos10s nodes: - name: primary label: centos-10-stream-8GB -- nodeset: - name: kayobe-rocky9 - nodes: - - name: primary - label: rockylinux-9 - - nodeset: name: kayobe-rocky10 nodes: diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 8303a77a9..390132fda 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -13,10 +13,8 @@ - kayobe-tox-ansible - kayobe-tox-molecule - kayobe-infra-vm-rocky10 - - kayobe-infra-vm-rocky9 - kayobe-infra-vm-ubuntu-noble - kayobe-overcloud-host-configure-rocky10 - - kayobe-overcloud-host-configure-rocky9 - kayobe-overcloud-host-configure-ubuntu-noble - kayobe-overcloud-rocky10 - kayobe-overcloud-rocky10-podman @@ -30,7 +28,6 @@ - kayobe-seed-ubuntu-noble-podman - kayobe-seed-upgrade-ubuntu-noble - kayobe-seed-vm-rocky10 - - kayobe-seed-vm-rocky9 - kayobe-seed-vm-ubuntu-noble gate: jobs: @@ -38,10 +35,8 @@ - kayobe-tox-ansible - kayobe-tox-molecule - kayobe-infra-vm-rocky10 - - kayobe-infra-vm-rocky9 - kayobe-infra-vm-ubuntu-noble - kayobe-overcloud-host-configure-rocky10 - - kayobe-overcloud-host-configure-rocky9 - kayobe-overcloud-host-configure-ubuntu-noble - kayobe-overcloud-rocky10 - kayobe-overcloud-rocky10-podman @@ -55,45 +50,28 @@ - kayobe-seed-ubuntu-noble-podman - kayobe-seed-upgrade-ubuntu-noble - kayobe-seed-vm-rocky10 - - kayobe-seed-vm-rocky9 - kayobe-seed-vm-ubuntu-noble experimental: jobs: - kayobe-infra-vm-centos10s - kayobe-infra-vm-centos10s-cloud-image - - kayobe-infra-vm-centos9s - - kayobe-infra-vm-centos9s-cloud-image - kayobe-infra-vm-rocky10-cloud-image - - kayobe-infra-vm-rocky9-cloud-image - kayobe-infra-vm-ubuntu-noble-cloud-image - kayobe-overcloud-centos10s - - kayobe-overcloud-centos9s - - kayobe-overcloud-host-configure-centos10s - - kayobe-overcloud-host-configure-centos9s - - kayobe-overcloud-rocky9 - - kayobe-overcloud-rocky9-podman - kayobe-overcloud-tls-centos10s - - kayobe-overcloud-tls-rocky9 - - kayobe-overcloud-upgrade-rocky9 + - kayobe-overcloud-upgrade-rocky10 - kayobe-seed-centos10s - kayobe-seed-images-centos10s - kayobe-seed-images-rocky10 - kayobe-seed-images-rocky10-podman - kayobe-seed-images-ubuntu-noble - kayobe-seed-images-ubuntu-noble-podman - - kayobe-seed-rocky9 - - kayobe-seed-rocky9-podman - - kayobe-seed-upgrade-rocky9 + - kayobe-seed-upgrade-rocky10 - kayobe-seed-vm-centos10s - kayobe-seed-vm-centos10s-cloud-image - kayobe-seed-vm-centos10s-q35 - - kayobe-seed-vm-centos9s - - kayobe-seed-vm-centos9s-cloud-image - - kayobe-seed-vm-centos9s-q35 - kayobe-seed-vm-rocky10-cloud-image - kayobe-seed-vm-rocky10-q35 - - kayobe-seed-vm-rocky9-cloud-image - - kayobe-seed-vm-rocky9-q35 - kayobe-seed-vm-ubuntu-noble-cloud-image - kayobe-seed-vm-ubuntu-noble-q35 From d759b5fb00381338ae8f32203a672bfe59493e63 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 12 Nov 2025 14:41:34 +0100 Subject: [PATCH 107/187] [release] Fix kolla-feature-flags.sh This script was broken by the refactoring of group variables in kolla-ansible [1]. [1] https://review.opendev.org/c/openstack/kolla-ansible/+/962200 Change-Id: Ic923a7c270b93b450fd3a2ecae1057f05a2c373e Signed-off-by: Pierre Riteau --- tools/kolla-feature-flags.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/kolla-feature-flags.sh b/tools/kolla-feature-flags.sh index 8d4277a87..73a34f950 100755 --- a/tools/kolla-feature-flags.sh +++ b/tools/kolla-feature-flags.sh @@ -10,12 +10,12 @@ set -e set -o pipefail KOLLA_ANSIBLE_SRC=$1 -KOLLA_GROUP_VARS_ALL=${KOLLA_ANSIBLE_SRC}/ansible/group_vars/all.yml +KOLLA_GROUP_VARS_ALL=${KOLLA_ANSIBLE_SRC}/ansible/group_vars/all -if [[ ! -f $KOLLA_GROUP_VARS_ALL ]]; then +if [[ ! -d $KOLLA_GROUP_VARS_ALL ]]; then echo "Usage: $0 " exit 1 fi # Find all feature flags, strip the enable_ prefix and value, sort. -cat ${KOLLA_GROUP_VARS_ALL} | grep '^enable_'| sed -e 's/enable_\(.*\):.*/ - \1/' | sort +cat ${KOLLA_GROUP_VARS_ALL}/*.yml | grep '^enable_'| sed -e 's/enable_\(.*\):.*/ - \1/' | sort From a846cccc6369bc14928d60df22b83761325bcffa Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 12 Nov 2025 14:56:03 +0100 Subject: [PATCH 108/187] [release] Sync with Kolla Ansible for 2025.2 Change-Id: I5902105a348deace4ff93b1659d454bcf361e341 Signed-off-by: Pierre Riteau --- .../roles/kolla-ansible/templates/overcloud-components.j2 | 5 +---- ansible/roles/kolla-ansible/templates/overcloud-services.j2 | 6 ------ ansible/roles/kolla-ansible/vars/main.yml | 5 ++--- etc/kayobe/kolla.yml | 6 ++---- 4 files changed, 5 insertions(+), 17 deletions(-) diff --git a/ansible/roles/kolla-ansible/templates/overcloud-components.j2 b/ansible/roles/kolla-ansible/templates/overcloud-components.j2 index 88781653f..6734b619b 100644 --- a/ansible/roles/kolla-ansible/templates/overcloud-components.j2 +++ b/ansible/roles/kolla-ansible/templates/overcloud-components.j2 @@ -151,14 +151,11 @@ control [skyline:children] control -[redis:children] +[valkey:children] control [blazar:children] control -[venus:children] -monitoring - [letsencrypt:children] loadbalancer diff --git a/ansible/roles/kolla-ansible/templates/overcloud-services.j2 b/ansible/roles/kolla-ansible/templates/overcloud-services.j2 index b87737dbb..086045cb1 100644 --- a/ansible/roles/kolla-ansible/templates/overcloud-services.j2 +++ b/ansible/roles/kolla-ansible/templates/overcloud-services.j2 @@ -447,12 +447,6 @@ ovn-database [ovn-sb-db-relay:children] ovn-database -[venus-api:children] -venus - -[venus-manager:children] -venus - [letsencrypt-webserver:children] letsencrypt diff --git a/ansible/roles/kolla-ansible/vars/main.yml b/ansible/roles/kolla-ansible/vars/main.yml index 288fef215..6533227b0 100644 --- a/ansible/roles/kolla-ansible/vars/main.yml +++ b/ansible/roles/kolla-ansible/vars/main.yml @@ -136,7 +136,6 @@ kolla_feature_flags: - horizon_octavia - horizon_tacker - horizon_trove - - horizon_venus - horizon_watcher - horizon_zun - influxdb @@ -144,6 +143,7 @@ kolla_feature_flags: - ironic_dnsmasq - ironic_neutron_agent - ironic_prometheus_exporter + - ironic_pxe_filter - iscsid - keepalived - keystone @@ -227,12 +227,11 @@ kolla_feature_flags: - prometheus_server - proxysql - rabbitmq - - redis - skyline - tacker - telegraf - trove - trove_singletenant - - venus + - valkey - watcher - zun diff --git a/etc/kayobe/kolla.yml b/etc/kayobe/kolla.yml index b0ddc74bd..6eb02a5ec 100644 --- a/etc/kayobe/kolla.yml +++ b/etc/kayobe/kolla.yml @@ -284,7 +284,6 @@ #kolla_enable_aodh: #kolla_enable_barbican: -#kolla_enable_bifrost: #kolla_enable_blazar: #kolla_enable_ceilometer: #kolla_enable_ceilometer_horizon_policy_file: @@ -344,7 +343,6 @@ #kolla_enable_horizon_octavia: #kolla_enable_horizon_tacker: #kolla_enable_horizon_trove: -#kolla_enable_horizon_venus: #kolla_enable_horizon_watcher: #kolla_enable_horizon_zun: #kolla_enable_influxdb: @@ -352,6 +350,7 @@ #kolla_enable_ironic_dnsmasq: #kolla_enable_ironic_neutron_agent: #kolla_enable_ironic_prometheus_exporter: +#kolla_enable_ironic_pxe_filter: #kolla_enable_iscsid: #kolla_enable_keepalived: #kolla_enable_keystone: @@ -435,13 +434,12 @@ #kolla_enable_prometheus_server: #kolla_enable_proxysql: #kolla_enable_rabbitmq: -#kolla_enable_redis: #kolla_enable_skyline: #kolla_enable_tacker: #kolla_enable_telegraf: #kolla_enable_trove: #kolla_enable_trove_singletenant: -#kolla_enable_venus: +#kolla_enable_valkey: #kolla_enable_watcher: #kolla_enable_zun: From 237e8b07e046b1736f74f648e4c489644e4aad3c Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 12 Nov 2025 18:33:01 +0100 Subject: [PATCH 109/187] [release] Use OpenStack 2025.2 release Switch all dependencies to use the OpenStack 2025.2 release. This commit should be reverted on the master branch once the Kayobe stable/2025.2 branch has been cut and RC1 released. Depends-On: https://review.opendev.org/c/openstack/kayobe-config-dev/+/966901 Change-Id: I96f89ce707b950e266cee0625998286634d8baed Signed-off-by: Pierre Riteau --- ansible/inventory/group_vars/all/openstack | 6 +++--- etc/kayobe/openstack.yml | 4 ++-- requirements.yml | 2 +- tox.ini | 10 +++++----- zuul.d/jobs.yaml | 8 ++++++++ 5 files changed, 19 insertions(+), 11 deletions(-) diff --git a/ansible/inventory/group_vars/all/openstack b/ansible/inventory/group_vars/all/openstack index e2525ac78..fe673cc33 100644 --- a/ansible/inventory/group_vars/all/openstack +++ b/ansible/inventory/group_vars/all/openstack @@ -2,10 +2,10 @@ ############################################################################### # OpenStack release configuration. -# Name of the current OpenStack release. Default is "master". -openstack_release: "master" +# Name of the current OpenStack release. Default is "2025.2". +openstack_release: "2025.2" -# Name of the current OpenStack branch. Default is "master". +# Name of the current OpenStack branch. Default is "stable/2025.2". openstack_branch: >- {% if openstack_release != 'master' %}stable/{% endif %}{{ openstack_release | lower }} diff --git a/etc/kayobe/openstack.yml b/etc/kayobe/openstack.yml index 1acfd0756..d58a145fe 100644 --- a/etc/kayobe/openstack.yml +++ b/etc/kayobe/openstack.yml @@ -2,10 +2,10 @@ ############################################################################### # OpenStack release configuration. -# Name of the current OpenStack release. Default is "master". +# Name of the current OpenStack release. Default is "2025.2". #openstack_release: -# Name of the current OpenStack branch. Default is "master". +# Name of the current OpenStack branch. Default is "stable/2025.2". #openstack_branch: ############################################################################### diff --git a/requirements.yml b/requirements.yml index ef419f34d..ff8020124 100644 --- a/requirements.yml +++ b/requirements.yml @@ -2,7 +2,7 @@ collections: - name: https://opendev.org/openstack/ansible-collection-kolla type: git - version: master + version: stable/2025.2 - name: community.docker version: 3.11.0 - name: dellemc.os10 diff --git a/tox.ini b/tox.ini index 5801e7136..701bbcfd9 100644 --- a/tox.ini +++ b/tox.ini @@ -18,7 +18,7 @@ setenv = OS_STDERR_CAPTURE=1 OS_TEST_TIMEOUT=60 deps = - -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} + -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/2025.2} -r{toxinidir}/requirements.txt -r{toxinidir}/test-requirements.txt commands = stestr run {posargs} @@ -26,7 +26,7 @@ commands = stestr run {posargs} [testenv:pep8] # sphinx8 needs the sphinx package which is required via doc/requirements.txt deps = - -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} + -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/2025.2} -r{toxinidir}/requirements.txt -r{toxinidir}/doc/requirements.txt -r{toxinidir}/test-requirements.txt @@ -41,7 +41,7 @@ commands = [testenv:venv] deps = - -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} + -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/2025.2} -r{toxinidir}/test-requirements.txt -r{toxinidir}/doc/requirements.txt commands = {posargs} @@ -59,7 +59,7 @@ commands = [testenv:molecule] deps = - -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} + -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/2025.2} -r{toxinidir}/requirements.txt -r{toxinidir}/molecule-requirements.txt commands = @@ -130,7 +130,7 @@ commands = [testenv:docs] deps = - -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} + -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/2025.2} -r{toxinidir}/doc/requirements.txt commands = rm -rf doc/build/html diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index 2d7272bab..a88ae8b60 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -71,11 +71,19 @@ required-projects: # Include kayobe to ensure other projects can use this job. - name: openstack/ansible-collection-kolla + # TODO(priteau): Remove when kayobe stable/2025.2 exists. + override-checkout: stable/2025.2 - name: openstack/kayobe - name: openstack/kayobe-config-dev - name: openstack/kolla + # TODO(priteau): Remove when kayobe stable/2025.2 exists. + override-checkout: stable/2025.2 - name: openstack/kolla-ansible + # TODO(priteau): Remove when kayobe stable/2025.2 exists. + override-checkout: stable/2025.2 - name: openstack/requirements + # TODO(priteau): Remove when kayobe stable/2025.2 exists. + override-checkout: stable/2025.2 - name: openstack/tenks irrelevant-files: - ^\..+ From 2f845652dd6d70c67f9454c2b09f983076bbca92 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Thu, 25 Sep 2025 11:18:28 +0100 Subject: [PATCH 110/187] Bump up Ansible supported versions to 11.x/12.x This change bumps up the maximum supported version of Ansible to 12.x (ansible-core 2.19.x) and minimum to 11.x (ansible-core 2.18.x). Change-Id: I3ab49d28804733733474565d33cc7b564b203ba6 Signed-off-by: Will Szumski --- ansible/action_plugins/template_content.py | 19 +++++++ ansible/kolla-ansible.yml | 4 +- ansible/roles/kolla-ansible/defaults/main.yml | 2 +- ansible/roles/kolla-ansible/tasks/install.yml | 2 +- .../kolla-ansible/tests/test-defaults.yml | 2 +- .../roles/kolla-openstack/tasks/config.yml | 4 +- kayobe/ansible.py | 14 ++++- .../plugins/action/kolla_ansible_host_vars.py | 43 +++++++++----- kayobe/plugins/action/merge_configs.py | 13 ++++- kayobe/plugins/action/merge_yaml.py | 12 +++- kayobe/plugins/action/template_content.py | 47 ++++++++++++++++ kayobe/tests/unit/test_ansible.py | 56 +++++++++++++------ kayobe/tests/unit/test_utils.py | 14 ++++- kayobe/utils.py | 3 +- playbooks/kayobe-base/post.yml | 14 +++-- .../bump-ansible-12-536bc4a3ff55dc3b.yaml | 6 ++ requirements.txt | 2 +- requirements.yml | 11 ++-- tox.ini | 1 + zuul.d/project.yaml | 6 ++ 20 files changed, 219 insertions(+), 56 deletions(-) create mode 100644 ansible/action_plugins/template_content.py create mode 100644 kayobe/plugins/action/template_content.py create mode 100644 releasenotes/notes/bump-ansible-12-536bc4a3ff55dc3b.yaml diff --git a/ansible/action_plugins/template_content.py b/ansible/action_plugins/template_content.py new file mode 100644 index 000000000..88eae2588 --- /dev/null +++ b/ansible/action_plugins/template_content.py @@ -0,0 +1,19 @@ +# Copyright (c) 2025 StackHPC Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +__metaclass__ = type + +import kayobe.plugins.action.template_content + +ActionModule = kayobe.plugins.action.template_content.ActionModule diff --git a/ansible/kolla-ansible.yml b/ansible/kolla-ansible.yml index 55b79c530..24f3a9c14 100644 --- a/ansible/kolla-ansible.yml +++ b/ansible/kolla-ansible.yml @@ -93,7 +93,7 @@ kolla_ansible_passwords_path: "{{ kayobe_env_config_path }}/kolla/passwords.yml" kolla_overcloud_inventory_search_paths_static: - "{{ kayobe_config_path }}" - kolla_overcloud_inventory_search_paths: "{{ kolla_overcloud_inventory_search_paths_static + kayobe_env_search_paths }}" + kolla_overcloud_inventory_search_paths: "{{ kolla_overcloud_inventory_search_paths_static + kayobe_env_search_paths | default([]) }}" kolla_ansible_certificates_path: "{{ kayobe_env_config_path }}/kolla/certificates" kolla_inspector_dhcp_pool_start: "{{ inspection_net_name | net_inspection_allocation_pool_start }}" kolla_inspector_dhcp_pool_end: "{{ inspection_net_name | net_inspection_allocation_pool_end }}" @@ -103,7 +103,7 @@ kolla_libvirt_tls: "{{ compute_libvirt_enable_tls | bool }}" kolla_globals_paths_static: - "{{ kayobe_config_path }}" - kolla_globals_paths_extra: "{{ kolla_globals_paths_static + kayobe_env_search_paths }}" + kolla_globals_paths_extra: "{{ kolla_globals_paths_static + kayobe_env_search_paths | default([]) }}" kolla_ironic_inspector_host: "{{ groups[controller_ironic_inspector_group][0] if groups[controller_ironic_inspector_group] | length > 0 else '' }}" - name: Generate Kolla Ansible host vars for the seed host diff --git a/ansible/roles/kolla-ansible/defaults/main.yml b/ansible/roles/kolla-ansible/defaults/main.yml index 9ea9849c0..db99c0cd8 100644 --- a/ansible/roles/kolla-ansible/defaults/main.yml +++ b/ansible/roles/kolla-ansible/defaults/main.yml @@ -26,7 +26,7 @@ kolla_ansible_venv_extra_requirements: [] # tested code. Changes to this limit should be tested. It is possible to only # install ansible-core by setting kolla_ansible_venv_ansible to None. kolla_ansible_venv_ansible: -kolla_ansible_venv_ansible_core: 'ansible-core>=2.17,<2.19' +kolla_ansible_venv_ansible_core: 'ansible-core>=2.18,<2.20' # Path to a requirements.yml file for Ansible collections. kolla_ansible_requirements_yml: "{{ kolla_ansible_venv }}/share/kolla-ansible/requirements.yml" diff --git a/ansible/roles/kolla-ansible/tasks/install.yml b/ansible/roles/kolla-ansible/tasks/install.yml index 5a643b179..d328ed4f2 100644 --- a/ansible/roles/kolla-ansible/tasks/install.yml +++ b/ansible/roles/kolla-ansible/tasks/install.yml @@ -141,7 +141,7 @@ - "{{ kolla_ansible_venv_ansible_core }}" - "{{ kolla_ansible_venv_ansible }}" pip: - name: "{{ (kolla_ansible_packages + kolla_ansible_venv_extra_requirements) | select | list }}" + name: "{{ (kolla_ansible_packages | default([]) + kolla_ansible_venv_extra_requirements | default([])) | select | list }}" state: latest extra_args: "{% if kolla_upper_constraints_file %}-c {{ kolla_upper_constraints_file }}{% endif %}" virtualenv: "{{ kolla_ansible_venv }}" diff --git a/ansible/roles/kolla-ansible/tests/test-defaults.yml b/ansible/roles/kolla-ansible/tests/test-defaults.yml index 5f16456f7..f5832c0d1 100644 --- a/ansible/roles/kolla-ansible/tests/test-defaults.yml +++ b/ansible/roles/kolla-ansible/tests/test-defaults.yml @@ -11,7 +11,7 @@ - block: - name: Test the kolla-ansible role with default values include_role: - name: ../../kolla-ansible + name: "{{ playbook_dir }}/.." vars: kolla_ansible_source_path: "{{ temp_path }}/src" kolla_ansible_ctl_install_type: "source" diff --git a/ansible/roles/kolla-openstack/tasks/config.yml b/ansible/roles/kolla-openstack/tasks/config.yml index 2aa8948a3..ce318fbc6 100644 --- a/ansible/roles/kolla-openstack/tasks/config.yml +++ b/ansible/roles/kolla-openstack/tasks/config.yml @@ -119,11 +119,11 @@ params: content: | {%- for path in item.sources -%} - {{ lookup('template', path) }} + {{ lookup('file', path) }} {%- endfor -%} dest: "{{ item.dest }}" mode: 0640 - copy: "{{ params | combine(item.params) }}" + template_content: "{{ params | combine(item.params) }}" with_items: "{{ kolla_custom_config_info.concat }}" - name: Ensure unnecessary extra configuration files are absent diff --git a/kayobe/ansible.py b/kayobe/ansible.py index 882e2385f..f6cf8dbb0 100644 --- a/kayobe/ansible.py +++ b/kayobe/ansible.py @@ -21,7 +21,14 @@ import sys import tempfile -from ansible.parsing.yaml.objects import AnsibleVaultEncryptedUnicode +# TODO(dougszu): Backwards compatibility for Ansible 11. This exception +# handler can be removed in the G cycle. +try: + from ansible.parsing.vault import EncryptedString +except ImportError: + # Ansible 11 + from ansible.parsing.yaml.objects import AnsibleVaultEncryptedUnicode + EncryptedString = AnsibleVaultEncryptedUnicode from kayobe import exception from kayobe import utils @@ -222,6 +229,9 @@ def _get_environment(parsed_args, external_playbook=False): """Return an environment dict for executing an Ansible playbook.""" env = os.environ.copy() vault.update_environment(parsed_args, env) + # TODO(wszusmki): Kayobe still uses broken conditions. Work on fixing these + # and remove when that work is complete. + env.setdefault("ANSIBLE_ALLOW_BROKEN_CONDITIONALS", "true") # If the configuration path has been specified via --config-path, ensure # the environment variable is set, so that it can be referenced by # playbooks. @@ -340,7 +350,7 @@ def run_playbook(parsed_args, playbook, *args, **kwargs): def _sanitise_hostvar(var): """Sanitise a host variable.""" - if isinstance(var, AnsibleVaultEncryptedUnicode): + if isinstance(var, EncryptedString): return "******" # Recursively sanitise dicts and lists. if isinstance(var, dict): diff --git a/kayobe/plugins/action/kolla_ansible_host_vars.py b/kayobe/plugins/action/kolla_ansible_host_vars.py index b4ee02db8..d6b620980 100644 --- a/kayobe/plugins/action/kolla_ansible_host_vars.py +++ b/kayobe/plugins/action/kolla_ansible_host_vars.py @@ -14,6 +14,16 @@ from ansible.plugins.action import ActionBase +# TODO(dougszu): From Ansible 12 onwards we must explicitly trust templates. +# Since this feature is not supported in previous releases, we define a +# noop method here for backwards compatibility. This can be removed in the +# G cycle. +try: + from ansible.template import trust_as_template +except ImportError: + def trust_as_template(template): + return template + class ConfigError(Exception): pass @@ -28,6 +38,11 @@ class ActionModule(ActionBase): TRANSFERS_FILES = False + def trusted_template(self, input): + # Mark all input as trusted. + trusted_input = trust_as_template(input) + return self._templar.template(trusted_input) + def run(self, tmp=None, task_vars=None): if task_vars is None: task_vars = dict() @@ -97,11 +112,11 @@ def _run(self, interfaces, external_networks): def _get_interface_fact(self, net_name, required, description): # Check whether the network is mapped to this host. condition = "{{ '%s' in network_interfaces }}" % net_name - condition = self._templar.template(condition) + condition = self.trusted_template(condition) if condition: # Get the network interface for this network. iface = ("{{ '%s' | net_interface }}" % net_name) - iface = self._templar.template(iface) + iface = self.trusted_template(iface) if required and not iface: msg = ("Required network '%s' (%s) does not have an interface " "configured for this host" % (net_name, description)) @@ -114,20 +129,20 @@ def _get_interface_fact(self, net_name, required, description): def _get_external_interface(self, net_name, required): condition = "{{ '%s' in network_interfaces }}" % net_name - condition = self._templar.template(condition) + condition = self.trusted_template(condition) if condition: - iface = self._templar.template("{{ '%s' | net_interface }}" % - net_name) + iface = self.trusted_template("{{ '%s' | net_interface }}" % + net_name) if iface: # When these networks are VLANs, we need to use the # underlying tagged bridge interface rather than the # untagged interface. We therefore strip the . suffix # of the interface name. We use a union here as a single # tagged interface may be shared between these networks. - vlan = self._templar.template("{{ '%s' | net_vlan }}" % - net_name) - parent = self._templar.template("{{ '%s' | net_parent }}" % - net_name) + vlan = self.trusted_template("{{ '%s' | net_vlan }}" % + net_name) + parent = self.trusted_template("{{ '%s' | net_parent }}" % + net_name) if vlan and parent: iface = parent elif vlan and iface.endswith(".%s" % vlan): @@ -146,15 +161,15 @@ def _get_external_interface_facts(self, external_interfaces): neutron_external_interfaces = [] neutron_physical_networks = [] missing_physical_networks = [] - bridge_suffix = self._templar.template( + bridge_suffix = self.trusted_template( "{{ network_bridge_suffix_ovs }}") - patch_prefix = self._templar.template("{{ network_patch_prefix }}") - patch_suffix = self._templar.template("{{ network_patch_suffix_ovs }}") + patch_prefix = self.trusted_template("{{ network_patch_prefix }}") + patch_suffix = self.trusted_template("{{ network_patch_suffix_ovs }}") for interface, iface_networks in external_interfaces.items(): is_bridge = ("{{ '%s' in (network_interfaces |" "net_select_bridges |" "map('net_interface')) }}" % interface) - is_bridge = self._templar.template(is_bridge) + is_bridge = self.trusted_template(is_bridge) neutron_bridge_names.append(interface + bridge_suffix) # For a bridge, use a veth pair connected to the bridge. Otherwise # use the interface directly. @@ -171,7 +186,7 @@ def _get_external_interface_facts(self, external_interfaces): # attribute set, and if so, whether they are consistent. iface_physical_networks = [] for iface_network in iface_networks: - physical_network = self._templar.template( + physical_network = self.trusted_template( "{{ '%s' | net_physical_network }}" % iface_network) if (physical_network and physical_network not in iface_physical_networks): diff --git a/kayobe/plugins/action/merge_configs.py b/kayobe/plugins/action/merge_configs.py index 3aff18d53..d1c22e25a 100644 --- a/kayobe/plugins/action/merge_configs.py +++ b/kayobe/plugins/action/merge_configs.py @@ -24,10 +24,21 @@ from ansible import constants from ansible.plugins import action +# TODO(dougszu): From Ansible 12 onwards we must explicitly trust templates. +# Since this feature is not supported in previous releases, we define a +# noop method here for backwards compatibility. This can be removed in the +# G cycle. +try: + from ansible.template import trust_as_template +except ImportError: + def trust_as_template(template): + return template + from io import StringIO from oslo_config import iniparser + _ORPHAN_SECTION = 'TEMPORARY_ORPHAN_VARIABLE_SECTION' DOCUMENTATION = ''' @@ -154,7 +165,7 @@ def read_config(self, source, config): # Only use config if present if os.access(source, os.R_OK): with open(source, 'r') as f: - template_data = f.read() + template_data = trust_as_template(f.read()) # set search path to mimic 'template' module behavior searchpath = [ diff --git a/kayobe/plugins/action/merge_yaml.py b/kayobe/plugins/action/merge_yaml.py index 73f954832..41ab5f099 100644 --- a/kayobe/plugins/action/merge_yaml.py +++ b/kayobe/plugins/action/merge_yaml.py @@ -27,6 +27,16 @@ from ansible import errors as ansible_errors from ansible.plugins import action +# TODO(dougszu): From Ansible 12 onwards we must explicitly trust templates. +# Since this feature is not supported in previous releases, we define a +# noop method here for backwards compatibility. This can be removed in the +# G cycle. +try: + from ansible.template import trust_as_template +except ImportError: + def trust_as_template(template): + return template + DOCUMENTATION = ''' --- module: merge_yaml @@ -95,7 +105,7 @@ def read_config(self, source): # Only use config if present if source and os.access(source, os.R_OK): with open(source, 'r') as f: - template_data = f.read() + template_data = trust_as_template(f.read()) # set search path to mimic 'template' module behavior searchpath = [ diff --git a/kayobe/plugins/action/template_content.py b/kayobe/plugins/action/template_content.py new file mode 100644 index 000000000..cd330bdca --- /dev/null +++ b/kayobe/plugins/action/template_content.py @@ -0,0 +1,47 @@ +# Copyright (c) 2025 StackHPC Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import os +import tempfile + +from ansible.module_utils.common.text.converters import to_bytes +from ansible.plugins.action.template import ActionModule as TemplateBase + +from ansible import errors as ansible_errors + + +class ActionModule(TemplateBase): + """Decorates template action to support using content parameter""" + + def run(self, *args, **kwargs): + module_args = self._task.args + if "src" in module_args and "content" in module_args: + raise ansible_errors.AnsibleActionFail( + "Invalid argument: content and src are mutually exclusive." + ) + if "content" not in module_args and "src" not in module_args: + raise ansible_errors.AnsibleActionFail( + "Invalid argument: You must speicfy either content or src" + ) + + if "src" in module_args: + return super().run(*args, **kwargs) + + with tempfile.NamedTemporaryFile() as fp: + content = module_args.pop("content", "") + fp.write(to_bytes(content)) + fp.flush() + tempfile_path = os.path.join(tempfile.gettempdir(), str(fp.name)) + module_args["src"] = tempfile_path + return super().run(*args, **kwargs) diff --git a/kayobe/tests/unit/test_ansible.py b/kayobe/tests/unit/test_ansible.py index 458373f9a..00600287d 100644 --- a/kayobe/tests/unit/test_ansible.py +++ b/kayobe/tests/unit/test_ansible.py @@ -28,6 +28,9 @@ from kayobe import utils from kayobe import vault +from ansible.parsing.vault import VaultSecret +from ansible.parsing.vault import VaultSecretsContext + @mock.patch.dict(os.environ, clear=True) class TestCase(unittest.TestCase): @@ -56,6 +59,7 @@ def test_run_playbooks(self, mock_validate, mock_vars, mock_run): ] expected_env = { + "ANSIBLE_ALLOW_BROKEN_CONDITIONALS": "true", "KAYOBE_CONFIG_PATH": "/etc/kayobe", "ANSIBLE_ROLES_PATH": ":".join([ "/etc/kayobe/ansible/roles", @@ -106,6 +110,7 @@ def test_run_playbooks_internal(self, mock_validate, mock_vars, mock_run): ] expected_env = { + "ANSIBLE_ALLOW_BROKEN_CONDITIONALS": "true", "KAYOBE_CONFIG_PATH": "/etc/kayobe", "ANSIBLE_ROLES_PATH": ":".join([ utils.get_data_files_path("ansible", "roles"), @@ -223,6 +228,7 @@ def test_run_playbooks_all_the_args(self, mock_validate, mock_vars, ] expected_env = { + "ANSIBLE_ALLOW_BROKEN_CONDITIONALS": "true", "KAYOBE_CONFIG_PATH": "/path/to/config", "KAYOBE_ENVIRONMENT": "test-env", "ANSIBLE_ROLES_PATH": ":".join([ @@ -299,6 +305,7 @@ def test_run_playbooks_all_the_long_args(self, mock_ask, mock_validate, "playbook2.yml", ] expected_env = { + "ANSIBLE_ALLOW_BROKEN_CONDITIONALS": "true", "KAYOBE_CONFIG_PATH": "/path/to/config", "KAYOBE_ENVIRONMENT": "test-env", "KAYOBE_VAULT_PASSWORD": "test-pass", @@ -342,6 +349,7 @@ def test_run_playbooks_vault_password_file(self, mock_update, "playbook1.yml", ] expected_env = { + "ANSIBLE_ALLOW_BROKEN_CONDITIONALS": "true", "KAYOBE_CONFIG_PATH": "/etc/kayobe", "ANSIBLE_ROLES_PATH": mock.ANY, "ANSIBLE_COLLECTIONS_PATH": mock.ANY, @@ -379,6 +387,7 @@ def test_run_playbooks_vault_password_helper(self, mock_validate, "playbook1.yml", ] expected_env = { + "ANSIBLE_ALLOW_BROKEN_CONDITIONALS": "true", "KAYOBE_CONFIG_PATH": "/etc/kayobe", "KAYOBE_VAULT_PASSWORD": "test-pass", "ANSIBLE_ROLES_PATH": mock.ANY, @@ -446,6 +455,7 @@ def test_run_playbooks_func_args(self, mock_validate, mock_vars, mock_run): "playbook2.yml", ] expected_env = { + "ANSIBLE_ALLOW_BROKEN_CONDITIONALS": "true", "KAYOBE_CONFIG_PATH": "/etc/kayobe", "ANSIBLE_ROLES_PATH": mock.ANY, "ANSIBLE_COLLECTIONS_PATH": mock.ANY, @@ -483,6 +493,7 @@ def test_run_playbooks_ignore_limit(self, mock_validate, mock_vars, "playbook2.yml", ] expected_env = { + "ANSIBLE_ALLOW_BROKEN_CONDITIONALS": "true", "KAYOBE_CONFIG_PATH": "/etc/kayobe", "ANSIBLE_ROLES_PATH": mock.ANY, "ANSIBLE_COLLECTIONS_PATH": mock.ANY, @@ -520,6 +531,7 @@ def test_run_playbooks_list_tasks_arg(self, mock_validate, mock_vars, "playbook2.yml", ] expected_env = { + "ANSIBLE_ALLOW_BROKEN_CONDITIONALS": "true", "KAYOBE_CONFIG_PATH": "/etc/kayobe", "ANSIBLE_ROLES_PATH": mock.ANY, "ANSIBLE_COLLECTIONS_PATH": mock.ANY, @@ -553,6 +565,7 @@ def test_run_playbooks_ansible_cfg(self, mock_validate, mock_vars, expected_env = { "ANSIBLE_CONFIG": "/etc/kayobe/ansible.cfg", "KAYOBE_CONFIG_PATH": "/etc/kayobe", + "ANSIBLE_ALLOW_BROKEN_CONDITIONALS": "true", "ANSIBLE_ROLES_PATH": mock.ANY, "ANSIBLE_COLLECTIONS_PATH": mock.ANY, "ANSIBLE_ACTION_PLUGINS": mock.ANY, @@ -585,6 +598,7 @@ def test_run_playbooks_ansible_cfg_env(self, mock_validate, mock_vars, "playbook1.yml", ] expected_env = { + "ANSIBLE_ALLOW_BROKEN_CONDITIONALS": "true", "ANSIBLE_CONFIG": "/path/to/ansible.cfg", "KAYOBE_CONFIG_PATH": "/etc/kayobe", "ANSIBLE_ROLES_PATH": mock.ANY, @@ -656,6 +670,10 @@ def test_config_dump(self, mock_mkdtemp, mock_run, mock_listdir, mock_read, @mock.patch.object(tempfile, 'mkdtemp') def test_config_dump_vaulted(self, mock_mkdtemp, mock_run, mock_listdir, mock_read, mock_rmtree): + + secret = VaultSecret(b'test-pass') + VaultSecretsContext.initialize( + VaultSecretsContext(secrets=[('default', secret)])) parser = argparse.ArgumentParser() parsed_args = parser.parse_args([]) dump_dir = "/path/to/dump" @@ -663,31 +681,31 @@ def test_config_dump_vaulted(self, mock_mkdtemp, mock_run, mock_listdir, mock_listdir.return_value = ["host1.yml", "host2.yml"] config = """--- key1: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 633230623736383232323862393364323037343430393530316636363961626361393133646437 - 643438663261356433656365646138666133383032376532310a63323432306431303437623637 - 346236316161343635636230613838316566383933313338636237616338326439616536316639 - 6334343462333062363334300a3930313762313463613537626531313230303731343365643766 - 666436333037 + $ANSIBLE_VAULT;1.1;AES256 + 65393836643335346138373665636564643436353231623838636261373565633731303835653139 + 6335343464383063373734636161323236636431316532650a333366333366396262353635313531 + 64666236636262326662323931313065376533333961356239363637333363623464666636616233 + 6130373664393533350a663266613165646565346433313536313461653236303563643262323936 + 6262 key2: value2 key3: - !vault | $ANSIBLE_VAULT;1.1;AES256 - 633230623736383232323862393364323037343430393530316636363961626361393133646437 - 643438663261356433656365646138666133383032376532310a63323432306431303437623637 - 346236316161343635636230613838316566383933313338636237616338326439616536316639 - 6334343462333062363334300a3930313762313463613537626531313230303731343365643766 - 666436333037 + 65393836643335346138373665636564643436353231623838636261373565633731303835653139 + 6335343464383063373734636161323236636431316532650a333366333366396262353635313531 + 64666236636262326662323931313065376533333961356239363637333363623464666636616233 + 6130373664393533350a663266613165646565346433313536313461653236303563643262323936 + 6262 """ config_nested = """--- key1: key2: !vault | $ANSIBLE_VAULT;1.1;AES256 - 633230623736383232323862393364323037343430393530316636363961626361393133646437 - 643438663261356433656365646138666133383032376532310a63323432306431303437623637 - 346236316161343635636230613838316566383933313338636237616338326439616536316639 - 6334343462333062363334300a3930313762313463613537626531313230303731343365643766 - 666436333037 + 65393836643335346138373665636564643436353231623838636261373565633731303835653139 + 6335343464383063373734636161323236636431316532650a333366333366396262353635313531 + 64666236636262326662323931313065376533333961356239363637333363623464666636616233 + 6130373664393533350a663266613165646565346433313536313461653236303563643262323936 + 6262 """ mock_read.side_effect = [config, config_nested] result = ansible.config_dump(parsed_args) @@ -951,6 +969,7 @@ def test_multiple_inventory_args(self, mock_validate, mock_vars, mock_run): "playbook2.yml", ] expected_env = { + "ANSIBLE_ALLOW_BROKEN_CONDITIONALS": "true", "KAYOBE_CONFIG_PATH": "/etc/kayobe", "ANSIBLE_ROLES_PATH": mock.ANY, "ANSIBLE_COLLECTIONS_PATH": mock.ANY, @@ -994,6 +1013,7 @@ def exists_replacement(path): "playbook2.yml", ] expected_env = { + "ANSIBLE_ALLOW_BROKEN_CONDITIONALS": "true", "KAYOBE_CONFIG_PATH": "/etc/kayobe", "KAYOBE_ENVIRONMENT": "test-env", "ANSIBLE_ROLES_PATH": mock.ANY, @@ -1036,6 +1056,7 @@ def exists_replacement(path): "playbook2.yml", ] expected_env = { + "ANSIBLE_ALLOW_BROKEN_CONDITIONALS": "true", "KAYOBE_CONFIG_PATH": "/etc/kayobe", "KAYOBE_ENVIRONMENT": "test-env", "ANSIBLE_ROLES_PATH": mock.ANY, @@ -1079,6 +1100,7 @@ def exists_replacement(path): "playbook2.yml", ] expected_env = { + "ANSIBLE_ALLOW_BROKEN_CONDITIONALS": "true", "KAYOBE_CONFIG_PATH": "/etc/kayobe", "KAYOBE_ENVIRONMENT": "test-env", "ANSIBLE_ROLES_PATH": mock.ANY, @@ -1127,6 +1149,7 @@ def exists_replacement(path): "playbook2.yml", ] expected_env = { + "ANSIBLE_ALLOW_BROKEN_CONDITIONALS": "true", "KAYOBE_CONFIG_PATH": "/etc/kayobe", "KAYOBE_ENVIRONMENT": "test-env", "ANSIBLE_ROLES_PATH": mock.ANY, @@ -1207,6 +1230,7 @@ def exists_replacement(path): "playbook2.yml", ] expected_env = { + "ANSIBLE_ALLOW_BROKEN_CONDITIONALS": "true", "KAYOBE_CONFIG_PATH": "/etc/kayobe", "KAYOBE_ENVIRONMENT": "test-env", "ANSIBLE_ROLES_PATH": mock.ANY, diff --git a/kayobe/tests/unit/test_utils.py b/kayobe/tests/unit/test_utils.py index 91d076937..fc975c221 100644 --- a/kayobe/tests/unit/test_utils.py +++ b/kayobe/tests/unit/test_utils.py @@ -18,7 +18,15 @@ import unittest from unittest import mock -from ansible.parsing.yaml.objects import AnsibleVaultEncryptedUnicode +# TODO(dougszu): Backwards compatibility for Ansible 11. This exception +# handler can be removed in the G cycle. +try: + from ansible.parsing.vault import EncryptedString +except ImportError: + # Ansible 11 + from ansible.parsing.yaml.objects import AnsibleVaultEncryptedUnicode + EncryptedString = AnsibleVaultEncryptedUnicode + import yaml from kayobe import exception @@ -167,9 +175,9 @@ def test_read_config_dump_yaml_file_vaulted(self, mock_read): mock_read.return_value = config result = utils.read_config_dump_yaml_file("/path/to/file") # Can't read the value without an encryption key, so just check type. - self.assertIsInstance(result["key1"], AnsibleVaultEncryptedUnicode) + self.assertIsInstance(result["key1"], EncryptedString) self.assertEqual(result["key2"], "value2") - self.assertIsInstance(result["key3"][0], AnsibleVaultEncryptedUnicode) + self.assertIsInstance(result["key3"][0], EncryptedString) mock_read.assert_called_once_with("/path/to/file") @mock.patch.object(utils, "read_file") diff --git a/kayobe/utils.py b/kayobe/utils.py index ff4c35ca0..14cbf6637 100644 --- a/kayobe/utils.py +++ b/kayobe/utils.py @@ -189,7 +189,8 @@ def read_config_dump_yaml_file(path): sys.exit(1) try: # AnsibleLoader supports loading vault encrypted variables. - return AnsibleLoader(content).get_single_data() + data = AnsibleLoader(content).get_single_data() + return data except yaml.YAMLError as e: print("Failed to decode config dump YAML file %s: %s" % (path, repr(e))) diff --git a/playbooks/kayobe-base/post.yml b/playbooks/kayobe-base/post.yml index d2e5eb345..89314aee2 100644 --- a/playbooks/kayobe-base/post.yml +++ b/playbooks/kayobe-base/post.yml @@ -11,11 +11,15 @@ --- - hosts: localhost tasks: - - name: Testing become fails - command: "true" - become: true - register: result - failed_when: '"CONTROL_HOST_BECOME_VIOLATION" not in result.module_stderr' + - block: + - name: Testing become fails + command: "true" + become: true + register: result + rescue: + - name: Check for become failure + fail: + when: '"CONTROL_HOST_BECOME_VIOLATION" not in result.msg' dest: /tmp/test-control-host-become.yml - name: Check that that kayobe become validator was correctly configured diff --git a/releasenotes/notes/bump-ansible-12-536bc4a3ff55dc3b.yaml b/releasenotes/notes/bump-ansible-12-536bc4a3ff55dc3b.yaml new file mode 100644 index 000000000..5901b6a26 --- /dev/null +++ b/releasenotes/notes/bump-ansible-12-536bc4a3ff55dc3b.yaml @@ -0,0 +1,6 @@ +--- + upgrade: + - | + Updates the maximum supported version of Ansible from 12 (ansible-core + 2.18) to 13 (ansible-core 2.19). The minimum supported version is updated + from 10.x to 11.x. This is true for both Kayobe and Kolla Ansible. diff --git a/requirements.txt b/requirements.txt index c4141c12d..75e9edefe 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,6 +1,6 @@ pbr>=2.0 # Apache-2.0 Jinja2>3 # BSD -ansible>=10,<12 # GPLv3 +ansible>=11,<13 # GPLv3 cliff>=3.1.0 # Apache netaddr!=0.7.16,>=0.7.13 # BSD PyYAML>=3.10.0 # MIT diff --git a/requirements.yml b/requirements.yml index b87c418c3..2490a5bcb 100644 --- a/requirements.yml +++ b/requirements.yml @@ -29,9 +29,9 @@ roles: version: 1.3.1 - src: giovtorres.tuned version: 1.2.0 - - src: jriguera.configdrive - # There are no versioned releases of this role. - version: 71ddface5540ee0ff9e35bcc4334c766ed5d5d3f + - src: git+https://github.com/stackhpc/ansible-role-configdrive.git + name: jriguera.configdrive + version: fb199247333e72e38a9d414cf7b6144daa645477 - src: MichaelRigart.interfaces version: v1.15.6 - src: mrlesmithjr.chrony @@ -46,8 +46,9 @@ roles: version: 1.1.6 - src: stackhpc.drac-facts version: 1.0.0 - - src: stackhpc.libvirt-host - version: v1.14.0 + - src: git+https://github.com/stackhpc/ansible-role-libvirt-host.git + name: stackhpc.libvirt-host + version: 9a947f74abdcd2e0d4e3371162f8299aef259271 - src: stackhpc.libvirt-vm version: v1.16.3 - src: stackhpc.luks diff --git a/tox.ini b/tox.ini index 5801e7136..a8ea73ca1 100644 --- a/tox.ini +++ b/tox.ini @@ -17,6 +17,7 @@ setenv = OS_STDOUT_CAPTURE=1 OS_STDERR_CAPTURE=1 OS_TEST_TIMEOUT=60 + ANSIBLE_VERBOSITY=3 deps = -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} -r{toxinidir}/requirements.txt diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 17b729553..a49b11c60 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -9,6 +9,9 @@ - release-notes-jobs-python3 check: jobs: + - openstack-tox-py310: + #NOTE(wszumski): We have dropped python3.10 support, so disable this job. + files: THIS-JOB-IS-DISABLED - kayobe-tox-ansible-syntax - kayobe-tox-ansible - kayobe-tox-molecule @@ -34,6 +37,9 @@ - kayobe-seed-vm-ubuntu-noble gate: jobs: + - openstack-tox-py310: + #NOTE(wszumski): We have dropped python3.10 support, so disable this job. + files: THIS-JOB-IS-DISABLED - kayobe-tox-ansible-syntax - kayobe-tox-ansible - kayobe-tox-molecule From 75d93c8da05484e23ffa83ba26fc1b8c10be5ec8 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Mon, 8 Sep 2025 12:22:12 +0000 Subject: [PATCH 111/187] Support built-in inspector Switches to using the builtin inspector rather than the standalone ironic-inspector service since this has now been dropped from kolla-ansible. Where possible, the new service has been configured to maintain the same behaviour of the old standalone service. When using the standalone inspector, Kayobe has a few opinionated defaults for the set of processing hooks. These defaults have been translated over to the built-in inspector equivalents for a more consistent experience. Inspection rules have rewritten to use the new format. CLI invocations have been updated to use the commands for the new inspection service. Change-Id: I09bd59d085c7ec3fa0ccd6abb84bd2d0c8b9825d Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/961266 Signed-off-by: Will Szumski --- ...emetal-compute-introspection-data-save.yml | 4 +- ansible/inventory/group_vars/all/bifrost | 4 +- ansible/inventory/group_vars/all/inspector | 365 ++++++++++-------- ansible/inventory/group_vars/all/kolla | 8 +- ansible/inventory/group_vars/all/openstack | 33 ++ ansible/kolla-bifrost-hostvars.yml | 2 +- ansible/kolla-openstack.yml | 2 +- ansible/overcloud-introspection-data-save.yml | 2 +- ansible/overcloud-introspection-rules.yml | 20 + .../ironic-inspector-rules/defaults/main.yml | 2 +- .../library/os_ironic_inspector_rule.py | 21 +- .../ironic-inspector-rules/tasks/main.yml | 13 +- .../kolla-ansible/templates/kolla/globals.yml | 2 +- ansible/roles/kolla-bifrost/defaults/main.yml | 2 +- .../kolla/config/bifrost/bifrost.yml | 4 +- .../roles/kolla-openstack/defaults/main.yml | 4 +- .../templates/kolla/config/ironic.conf | 32 ++ ansible/seed-introspection-rules.yml | 2 +- dev/functions | 4 +- .../configuration/reference/bifrost.rst | 4 +- etc/kayobe/bifrost.yml | 2 +- etc/kayobe/inspector.yml | 36 +- playbooks/kayobe-overcloud-base/run.yml | 1 - .../kayobe-overcloud-upgrade-base/run.yml | 1 - ...ng-builtin-inspector-04ab4ea4f1a1c3c8.yaml | 26 ++ requirements.yml | 2 +- 26 files changed, 377 insertions(+), 221 deletions(-) create mode 100644 releasenotes/notes/adds-support-for-configuring-builtin-inspector-04ab4ea4f1a1c3c8.yaml diff --git a/ansible/baremetal-compute-introspection-data-save.yml b/ansible/baremetal-compute-introspection-data-save.yml index 505349e5a..28ae86c96 100644 --- a/ansible/baremetal-compute-introspection-data-save.yml +++ b/ansible/baremetal-compute-introspection-data-save.yml @@ -10,7 +10,7 @@ virtualenv: "{{ venv }}" name: - python-openstackclient - - python-ironic-inspector-client + - python-ironicclient state: latest virtualenv_command: python3.{{ ansible_facts.python.version.minor }} -m venv extra_args: "{% if pip_upper_constraints_file %}-c {{ pip_upper_constraints_file }}{% endif %}" @@ -31,7 +31,7 @@ tasks: - name: Query baremetal compute nodes' hardware introspection data command: > - {{ venv }}/bin/openstack baremetal introspection data save {{ inventory_hostname }} + {{ venv }}/bin/openstack baremetal node inventory save {{ inventory_hostname }} register: save_result changed_when: False # Ignore errors, log a message later. diff --git a/ansible/inventory/group_vars/all/bifrost b/ansible/inventory/group_vars/all/bifrost index 76042ff6b..fc02cf5a0 100644 --- a/ansible/inventory/group_vars/all/bifrost +++ b/ansible/inventory/group_vars/all/bifrost @@ -89,8 +89,8 @@ kolla_bifrost_extra_kernel_options: [] ############################################################################### # Ironic Inspector configuration. -# List of of inspector processing plugins. -kolla_bifrost_inspector_processing_hooks: "{{ inspector_processing_hooks }}" +# List of of inspector plugins. +kolla_bifrost_inspector_hooks: "{{ inspector_hooks }}" # Which MAC addresses to add as ports during introspection. One of 'all', # 'active' or 'pxe'. diff --git a/ansible/inventory/group_vars/all/inspector b/ansible/inventory/group_vars/all/inspector index 4497d39eb..f74f39a09 100644 --- a/ansible/inventory/group_vars/all/inspector +++ b/ansible/inventory/group_vars/all/inspector @@ -31,40 +31,47 @@ inspector_ipa_ramdisk_checksum_url: "{{ ipa_ramdisk_checksum_url }}" inspector_ipa_ramdisk_checksum_algorithm: "{{ ipa_ramdisk_checksum_algorithm }}" ############################################################################### -# Ironic inspector processing configuration. +# Ironic inspector processing configuration for the inspector implementation +# built-in to Ironic. + +# List of hooks to enable for inspection. Default is [$default_hooks, memory, +# boot-mode, cpu-capabilities, pci-devices, parse-lldp]. +inspector_hooks_default: + - $default_hooks + - memory + - boot-mode + - cpu-capabilities + - pci-devices + - parse-lldp + +# List of extra inspection hooks to enable. Default is an empty list. +inspector_hooks_extra: [] + +# List of of additional inspector hooks to enable. Default is +# {{ inspector_hooks_default + inspector_hooks_extra }}. +inspector_hooks: > + {{ inspector_hooks_default + inspector_hooks_extra }} -# List of of default inspector processing plugins. -inspector_processing_hooks_default: - - ramdisk_error - - scheduler - - validate_interfaces - - capabilities - - pci_devices - - lldp_basic - - local_link_connection - -# List of of additional inspector processing plugins. -inspector_processing_hooks_extra: [] - -# List of of additional inspector processing plugins. -inspector_processing_hooks: > - {{ inspector_processing_hooks_default + inspector_processing_hooks_extra }} +############################################################################### +# Common Ironic Inspector processing configuration. # Which MAC addresses to add as ports during introspection. One of 'all', -# 'active' or 'pxe'. +# 'active' or 'pxe'. Default is 'pxe'. inspector_add_ports: "pxe" # Which ports to keep after introspection. One of 'all', 'present', or 'added'. +# Default is 'added'. inspector_keep_ports: "added" -# Whether to enable discovery of nodes not managed by Ironic. +# Whether to enable discovery of nodes not managed by Ironic. Default is true. inspector_enable_discovery: True -# The Ironic driver with which to register newly discovered nodes. +# The Ironic driver with which to register newly discovered nodes. Default is +# 'ipmi'. inspector_discovery_enroll_node_driver: "ipmi" ############################################################################### -# Ironic inspector configuration. +# Ironic inspector introspection rules configuration. # Ironic inspector IPMI username to set. inspector_ipmi_username: "{{ ipmi_username }}" @@ -86,9 +93,6 @@ inspector_lldp_switch_port_interface_default: eth0 # check for an LLDP switch port description to use as the node's name. inspector_lldp_switch_port_interface_map: {} -############################################################################### -# Ironic inspector introspection rules configuration. - # Enable IPMI rules: inspector_rules_ipmi_enabled: True @@ -114,17 +118,24 @@ inspector_rule_var_redfish_verify_ca: True inspector_rule_ipmi_credentials: description: "Set IPMI driver_info if no credentials" conditions: - - field: "node://driver_info.ipmi_username" - op: "is-empty" - - field: "node://driver_info.ipmi_password" - op: "is-empty" + - args: + value: "{node.driver_info.ipmi_username}" + regex: '\\{node\\.driver_info\\.ipmi_username\\}' + op: "matches" + - args: + value: "{node.driver_info.ipmi_password}" + regex: '\\{node\\.driver_info\\.ipmi_password\\}' + op: "matches" + sensitive: "true" actions: - - action: "set-attribute" - path: "driver_info/ipmi_username" - value: "{{ inspector_rule_var_ipmi_username }}" - - action: "set-attribute" - path: "driver_info/ipmi_password" - value: "{{ inspector_rule_var_ipmi_password }}" + - op: "set-attribute" + args: + path: "driver_info/ipmi_username" + value: "{{ inspector_rule_var_ipmi_username }}" + - op: "set-attribute" + args: + path: "driver_info/ipmi_password" + value: "{{ inspector_rule_var_ipmi_password }}" # Deployment kernel referenced by inspector rule. inspector_rule_var_deploy_kernel: @@ -133,12 +144,15 @@ inspector_rule_var_deploy_kernel: inspector_rule_deploy_kernel: description: "Set deploy kernel" conditions: - - field: "node://driver_info.deploy_kernel" - op: "is-empty" + - args: + value: "{node.driver_info.deploy_kernel}" + regex: '\\{node\\.driver_info\\.deploy_kernel\\}' + op: "matches" actions: - - action: "set-attribute" - path: "driver_info/deploy_kernel" - value: "{{ inspector_rule_var_deploy_kernel }}" + - op: "set-attribute" + args: + path: "driver_info/deploy_kernel" + value: "{{ inspector_rule_var_deploy_kernel }}" # Deployment ramdisk referenced by inspector rule. inspector_rule_var_deploy_ramdisk: @@ -147,220 +161,233 @@ inspector_rule_var_deploy_ramdisk: inspector_rule_deploy_ramdisk: description: "Set deploy ramdisk" conditions: - - field: "node://driver_info.deploy_ramdisk" - op: "is-empty" - actions: - - action: "set-attribute" - path: "driver_info/deploy_ramdisk" - value: "{{ inspector_rule_var_deploy_ramdisk }}" - -# Ironic inspector rule to initialise root device hints. -inspector_rule_root_hint_init: - description: "Initialise root device hint" - conditions: - - field: "node://properties.root_device" - op: "is-empty" + - args: + value: "{node.driver_info.deploy_ramdisk}" + regex: '\\{node\\.driver_info\\.deploy_ramdisk\\}' + op: "matches" actions: - # Inspector can't combine references to introspection data with non-string - # types, see https://bugs.launchpad.net/ironic-inspector/+bug/1670768. We - # must therefore first set the root_device property to an empty dict, then - # update the fields within it. - - action: "set-attribute" - path: "properties/root_device" - value: {} + - op: "set-attribute" + args: + path: "driver_info/deploy_ramdisk" + value: "{{ inspector_rule_var_deploy_ramdisk }}" # Ironic inspector rule to set serial root device hint. inspector_rule_root_hint_serial: description: "Set serial root device hint" conditions: - - field: "data://root_disk.serial" - op: "is-empty" - invert: True + - args: + value: "{node.properties[root_device]}" + regex: "\\{node\\.properties\\[root_device\\]\\}" + op: "matches" actions: - - action: "set-attribute" - path: "properties/root_device/serial" - value: "{data[root_disk][serial]}" + - op: "set-attribute" + args: + path: "properties/root_device/name" + value: "{plugin_data[root_disk][by_path]}" + # Ironic inspector rule to set the interface on which the node PXE booted. inspector_rule_set_pxe_interface_mac: description: "Set node PXE interface MAC address" conditions: - - field: "data://boot_interface" - op: "is-empty" - invert: True + - args: + value: "{plugin_data[boot_interface]}" + regex: "'\\{plugin_data\\[boot_interface\\]\\}'" + op: "!matches" actions: - - action: "set-attribute" - path: "extra/pxe_interface_mac" - value: "{data[boot_interface]}" + - op: "set-attribute" + args: + path: "extra/pxe_interface_mac" + value: "{plugin_data[boot_interface]}" # Name of network interface to use for LLDP referenced by switch port # description rule. inspector_rule_var_lldp_switch_port_interface: +# Internal variables. Not meant for use externally. +_inspector_rule_interface_path: "{all_interfaces.{{ inspector_rule_var_lldp_switch_port_interface }}}" +_inspector_rule_lldp_processed_path: "{all_interfaces.{{ inspector_rule_var_lldp_switch_port_interface }}.lldp_processed}" +_inspector_rule_switch_port_description_path: "{all_interfaces.{{inspector_rule_var_lldp_switch_port_interface}}.lldp_processed.switch_port_description}" + # Ironic inspector rule to set the node's name from an interface's LLDP switch # port description. inspector_rule_lldp_switch_port_desc_to_name: description: "Set node name from {{ inspector_rule_var_lldp_switch_port_interface }} LLDP switch port description" conditions: # Check for the existence of the switch_port_description field. - - field: "data://all_interfaces.{{ inspector_rule_var_lldp_switch_port_interface }}" - op: "is-empty" - invert: True - - field: "data://all_interfaces.{{ inspector_rule_var_lldp_switch_port_interface }}.lldp_processed" - op: "is-empty" - invert: True - - field: "data://all_interfaces.{{ inspector_rule_var_lldp_switch_port_interface }}.lldp_processed.switch_port_description" - op: "is-empty" - invert: True + - args: + value: "{{ _inspector_rule_interface_path }}" + regex: "{{ _inspector_rule_interface_path | regex_escape }}" + op: "!matches" + - args: + value: "{{ _inspector_rule_lldp_processed_path }}" + regex: "{{ _inspector_rule_lldp_processed_path | regex_escape }}" + op: "!matches" + - args: + value: "{{ _inspector_rule_switch_port_description_path }}" + regex: "{{ _inspector_rule_switch_port_description_path | regex_escape }}" + op: "!matches" # Filter out switch port descriptions using the switch's interface names. # On some switches (including Dell Network OS 9.10(0.1) and some Ruckus # switches), the port description TLV is sent but contains the interface # name rather than the interface's description. Dell switches use a space # character between port type and port number, while Ruckus switches don't. - - field: "data://all_interfaces.{{inspector_rule_var_lldp_switch_port_interface}}.lldp_processed.switch_port_description" - op: "matches" - value: "^GigabitEthernet ?([0-9/]*)$" - invert: True - - field: "data://all_interfaces.{{inspector_rule_var_lldp_switch_port_interface}}.lldp_processed.switch_port_description" - op: "matches" - value: "^TenGigabitEthernet ?([0-9/]*)$" - invert: True - - field: "data://all_interfaces.{{inspector_rule_var_lldp_switch_port_interface}}.lldp_processed.switch_port_description" - op: "matches" - value: "^twentyFiveGigE ?([0-9/]*)$" - invert: True - - field: "data://all_interfaces.{{inspector_rule_var_lldp_switch_port_interface}}.lldp_processed.switch_port_description" - op: "matches" - value: "^fortyGigE ?([0-9/]*)$" - invert: True - - field: "data://all_interfaces.{{inspector_rule_var_lldp_switch_port_interface}}.lldp_processed.switch_port_description" - op: "matches" - value: "^Port-channel ?([0-9/]*)$" - invert: True + - op: "!matches" + args: + value: "{{ _inspector_rule_switch_port_description_path }}" + regex: "^GigabitEthernet ?([0-9/]*)$" + - op: "!matches" + args: + value: "{{ _inspector_rule_switch_port_description_path }}" + regex: "^TenGigabitEthernet ?([0-9/]*)$" + - op: "!matches" + args: + value: "{{ _inspector_rule_switch_port_description_path }}" + regex: "^twentyFiveGigE ?([0-9/]*)$" + - op: "!matches" + args: + value: "{{ _inspector_rule_switch_port_description_path }}" + regex: "^fortyGigE ?([0-9/]*)$" + - op: "!matches" + args: + value: "{{ _inspector_rule_switch_port_description_path }}" + regex: "^Port-channel ?([0-9/]*)$" actions: - - action: "set-attribute" - path: "name" - value: "{data[all_interfaces][{{ inspector_rule_var_lldp_switch_port_interface }}][lldp_processed][switch_port_description]}" - -# Ironic inspector rule to initialise system vendor data in the node's metadata. -inspector_rule_save_system_vendor_init: - description: "Initialise system vendor data in Ironic node metadata" - conditions: - - field: "data://inventory.system_vendor" - op: "is-empty" - invert: True - - field: "node://extra.system_vendor" - op: "is-empty" - actions: - - action: "set-attribute" - path: "extra/system_vendor" - value: {} + - op: "set-attribute" + args: + path: "name" + value: "{{ _inspector_rule_switch_port_description_path }}" # Ironic inspector rule to save system vendor manufacturer data in the node's # metadata. inspector_rule_save_system_vendor_manufacturer: description: "Save system vendor manufacturer data in Ironic node metadata" conditions: - - field: "data://inventory.system_vendor" - op: "is-empty" - invert: True - - field: "data://inventory.system_vendor.manufacturer" - op: "is-empty" - invert: True + - args: + value: "{inventory.system_vendor}" + regex: "\\{inventory\\.system_vendor\\}" + op: "!matches" + - args: + value: "{inventory.system_vendor.manufacturer}" + regex: "\\{inventory\\.system_vendor\\.manufacturer\\}" + op: "!matches" actions: - - action: "set-attribute" - path: "extra/system_vendor/manufacturer" - value: "{data[inventory][system_vendor][manufacturer]}" + - op: "set-attribute" + args: + path: "extra/system_vendor/manufacturer" + value: "{inventory[system_vendor][manufacturer]}" # Ironic inspector rule to save system vendor serial number in the node's # metadata. inspector_rule_save_system_vendor_serial_number: description: "Save system vendor serial number in Ironic node metadata" conditions: - - field: "data://inventory.system_vendor" - op: "is-empty" - invert: True - - field: "data://inventory.system_vendor.serial_number" - op: "is-empty" - invert: True + - args: + value: "{inventory.system_vendor}" + regex: "\\{inventory\\.system_vendor\\}" + op: "!matches" + - args: + value: "{inventory.system_vendor.serial_number}" + regex: "\\{inventory\\.system_vendor\\.serial_number\\}" + op: "!matches" actions: - - action: "set-attribute" - path: "extra/system_vendor/serial_number" - value: "{data[inventory][system_vendor][serial_number]}" + - op: "set-attribute" + args: + path: "extra/system_vendor/serial_number" + value: "{inventory[system_vendor][serial_number]}" # Ironic inspector rule to save system vendor product name in the node's # metadata. inspector_rule_save_system_vendor_product_name: description: "Save system vendor product name in Ironic node metadata" conditions: - - field: "data://inventory.system_vendor" - op: "is-empty" - invert: True - - field: "data://inventory.system_vendor.product_name" - op: "is-empty" - invert: True + - args: + value: "{inventory.system_vendor}" + regex: "\\{inventory\\.system_vendor\\}" + op: "!matches" + - args: + value: "{inventory.system_vendor.product_name}" + regex: "\\{inventory\\.system_vendor\\.product_name\\}" + op: "!matches" actions: - - action: "set-attribute" - path: "extra/system_vendor/product_name" - value: "{data[inventory][system_vendor][product_name]}" + - op: "set-attribute" + args: + path: "extra/system_vendor/product_name" + value: "{inventory[system_vendor][product_name]}" # Ironic inspector rule to save introspection data to the node. inspector_rule_save_data: description: "Save introspection data to Ironic node" conditions: [] actions: - - action: "set-attribute" - path: "extra/introspection_data" - value: "{data}" + - op: "set-attribute" + args: + path: "extra/introspection_data/inventory" + value: "{inventory}" + - op: "set-attribute" + args: + path: "extra/introspection_data/plugin_data" + value: "{plugin_data}" # Redfish rules # Ironic inspector rule to set Redfish credentials. inspector_rule_redfish_credentials: description: "Set Redfish driver_info if no credentials" conditions: - - field: "node://driver_info.redfish_username" - op: "is-empty" - - field: "node://driver_info.redfish_password" - op: "is-empty" + - args: + value: "{node.driver_info.redfish_username}" + regex: "\\{node\\.driver_info\\.redfish_username\\}" + op: "matches" + - args: + value: "{node.driver_info.redfish_password}" + regex: "\\{node\\.driver_info\\.redfish_password\\}" + op: "matches" + sensitive: true actions: - - action: "set-attribute" - path: "driver_info/redfish_username" - value: "{{ inspector_rule_var_redfish_username }}" - - action: "set-attribute" - path: "driver_info/redfish_password" - value: "{{ inspector_rule_var_redfish_password }}" + - op: "set-attribute" + args: + path: "driver_info/redfish_username" + value: "{{ inspector_rule_var_redfish_username }}" + - op: "set-attribute" + args: + path: "driver_info/redfish_password" + value: "{{ inspector_rule_var_redfish_password }}" # Ironic inspector rule to set Redfish address. inspector_rule_redfish_address: description: "Set Redfish address" conditions: - - field: "node://driver_info.redfish_address" - op: "is-empty" + - args: + value: "{node.driver_info.redfish_address}" + regex: "\\{node\\.driver_info\\.redfish_address\\}" + op: "matches" actions: - - action: "set-attribute" - path: "driver_info/redfish_address" - value: "{data[inventory][bmc_address]}" + - op: "set-attribute" + args: + path: "driver_info/redfish_address" + value: "{inventory[bmc_address]}" # Ironic inspector rule to set Redfish certificate authority. inspector_rule_redfish_verify_ca: description: "Set Redfish Verify CA" conditions: - - field: "node://driver_info.redfish_verify_ca" - op: "is-empty" + - args: + value: "{node.driver_info.redfish_verify_ca}" + regex: "\\{node\\.driver_info\\.redfish_verify_ca\\}" + op: "matches" actions: - - action: "set-attribute" - path: "driver_info/redfish_verify_ca" - value: "{{ inspector_rule_var_redfish_verify_ca }}" + - op: "set-attribute" + args: + path: "driver_info/redfish_verify_ca" + value: "{{ inspector_rule_var_redfish_verify_ca }}" # List of default ironic inspector rules. inspector_rules_default: - "{{ inspector_rule_deploy_kernel }}" - "{{ inspector_rule_deploy_ramdisk }}" - - "{{ inspector_rule_root_hint_init }}" - "{{ inspector_rule_root_hint_serial }}" - "{{ inspector_rule_set_pxe_interface_mac }}" - "{{ inspector_rule_lldp_switch_port_desc_to_name }}" - - "{{ inspector_rule_save_system_vendor_init }}" - "{{ inspector_rule_save_system_vendor_manufacturer }}" - "{{ inspector_rule_save_system_vendor_serial_number }}" - "{{ inspector_rule_save_system_vendor_product_name }}" diff --git a/ansible/inventory/group_vars/all/kolla b/ansible/inventory/group_vars/all/kolla index ec74668ff..411b116e6 100644 --- a/ansible/inventory/group_vars/all/kolla +++ b/ansible/inventory/group_vars/all/kolla @@ -153,7 +153,7 @@ overcloud_container_image_regex_map: - regex: ^designate enabled: "{{ kolla_enable_designate | bool }}" - regex: ^dnsmasq - enabled: "{{ kolla_enable_ironic | bool }}" + enabled: "{{ kolla_enable_ironic_dnsmasq | bool }}" - regex: ^etcd enabled: "{{ kolla_enable_etcd | bool }}" - regex: ^fluentd @@ -548,6 +548,8 @@ kolla_enable_heat: "{{ kolla_enable_openstack_core | bool }}" kolla_enable_horizon: "{{ kolla_enable_openstack_core | bool }}" kolla_enable_influxdb: "{{ kolla_enable_cloudkitty | bool }}" kolla_enable_ironic: "no" +kolla_enable_ironic_dnsmasq: "{{ kolla_enable_ironic | bool and kolla_inspector_enable_discovery | bool }}" +kolla_enable_ironic_pxe_filter: "{{ kolla_enable_ironic | bool and kolla_inspector_enable_discovery | bool }}" kolla_enable_ironic_neutron_agent: "{{ kolla_enable_neutron | bool and kolla_enable_ironic | bool }}" kolla_enable_iscsid: "{{ kolla_enable_cinder | bool and kolla_enable_cinder_backend_iscsi | bool }}" kolla_enable_kuryr: "no" @@ -695,3 +697,7 @@ kolla_https_proxy: "{{ https_proxy }}" # List of domains, hostnames, IP addresses and networks for which no proxy is # used. Default value is "{{ no_proxy }}". kolla_no_proxy: "{{ no_proxy }}" + +############################################################################## +# Inspector configuration +kolla_inspector_enable_discovery: "{{ inspector_enable_discovery | bool }}" \ No newline at end of file diff --git a/ansible/inventory/group_vars/all/openstack b/ansible/inventory/group_vars/all/openstack index e2525ac78..430293d3f 100644 --- a/ansible/inventory/group_vars/all/openstack +++ b/ansible/inventory/group_vars/all/openstack @@ -9,6 +9,11 @@ openstack_release: "master" openstack_branch: >- {% if openstack_release != 'master' %}stable/{% endif %}{{ openstack_release | lower }} +############################################################################### +# OpenStack virtualenv configuration. + +os_virtualenv_python: "{{ '/usr/bin/python3.12' if ansible_facts.os_family == 'RedHat' else '/usr/bin/python3' }}" + ############################################################################### # OpenStack authentication configuration. @@ -28,6 +33,19 @@ openstack_auth: auth_url: "{{ lookup('env', 'OS_AUTH_URL') }}" system_scope: "{{ lookup('env', 'OS_SYSTEM_SCOPE') }}" +# Internal variable to set the system scope authentication. +openstack_auth_system_scope_value: 'all' + +# Overcloud authentication parameters for system scope. By default this will +# use the user defined in openstack_auth. +# NOTE(wszumski): Not all projects support system scope yet and we sometimes need +# to use system scope and project scope in the same ansible run. +openstack_auth_system_scope: >- + {{ openstack_auth | combine( + {'system_scope': openstack_auth_system_scope_value, + 'project_domain_name': '', + 'project_name': ''})}} + # Overcloud CA certificate path. openstack_cacert: "{{ lookup('env', 'OS_CACERT') }}" @@ -49,6 +67,14 @@ openstack_auth_env: OS_CACERT: "{{ lookup('env', 'OS_CACERT') }}" OS_SYSTEM_SCOPE: "{{ lookup('env', 'OS_SYSTEM_SCOPE') }}" +# Overcloud authentication environment variables for system scope. By default +# this will use the user defined in openstack_auth_env. +openstack_auth_env_system_scope: >- + {{ openstack_auth_env | combine( + {'OS_SYSTEM_SCOPE': openstack_auth_system_scope_value, + 'OS_PROJECT_DOMAIN_NAME': '', + 'OS_PROJECT_NAME': ''})}} + # List of parameters required in openstack_auth when openstack_auth_type is # password. openstack_auth_password_required_params: @@ -56,3 +82,10 @@ openstack_auth_password_required_params: - "username" - "password" - "auth_url" + +# List of parameters required in openstack_auth when openstack_auth_type is +# password and using system scope +openstack_auth_password_required_params_system: + - "username" + - "password" + - "auth_url" diff --git a/ansible/kolla-bifrost-hostvars.yml b/ansible/kolla-bifrost-hostvars.yml index d560e4d0e..ebe13ceb0 100644 --- a/ansible/kolla-bifrost-hostvars.yml +++ b/ansible/kolla-bifrost-hostvars.yml @@ -61,7 +61,7 @@ -e @/etc/bifrost/dib.yml --limit {{ inventory_hostname }} -m shell - -a "env OS_CLOUD=bifrost baremetal introspection data save {% raw %}{{ inventory_hostname }}{% endraw %}"' + -a "env OS_CLOUD=bifrost baremetal inventory save {% raw %}{{ inventory_hostname }}{% endraw %}"' register: save_result changed_when: False # Ignore errors, log a message later. diff --git a/ansible/kolla-openstack.yml b/ansible/kolla-openstack.yml index bb116330d..ea2aec967 100644 --- a/ansible/kolla-openstack.yml +++ b/ansible/kolla-openstack.yml @@ -131,7 +131,7 @@ roles: - role: kolla-openstack # Ironic inspector configuration. - kolla_inspector_processing_hooks: "{{ inspector_processing_hooks }}" + kolla_inspector_hooks: "{{ inspector_hooks }}" kolla_inspector_add_ports: "{{ inspector_add_ports }}" kolla_inspector_keep_ports: "{{ inspector_keep_ports }}" kolla_inspector_enable_discovery: "{{ inspector_enable_discovery }}" diff --git a/ansible/overcloud-introspection-data-save.yml b/ansible/overcloud-introspection-data-save.yml index 284a899f2..0e2b16111 100644 --- a/ansible/overcloud-introspection-data-save.yml +++ b/ansible/overcloud-introspection-data-save.yml @@ -25,7 +25,7 @@ -e @/etc/bifrost/dib.yml --limit {{ inventory_hostname }} -m shell - -a "env OS_CLOUD=bifrost baremetal introspection data save {% raw %}{{ inventory_hostname }}{% endraw %}"' + -a "env OS_CLOUD=bifrost baremetal node inventory save {% raw %}{{ inventory_hostname }}{% endraw %}"' register: save_result changed_when: False # Ignore errors, log a message later. diff --git a/ansible/overcloud-introspection-rules.yml b/ansible/overcloud-introspection-rules.yml index 0782800d2..4c4f1126c 100644 --- a/ansible/overcloud-introspection-rules.yml +++ b/ansible/overcloud-introspection-rules.yml @@ -55,3 +55,23 @@ changed_when: False register: ipa_ramdisk_id environment: "{{ openstack_auth_env }}" + + roles: + - role: ironic-inspector-rules + os_openstacksdk_install_epel: "{{ dnf_install_epel }}" + os_openstacksdk_state: "latest" + ironic_inspector_venv: "{{ venv }}" + ironic_inspector_upper_constraints_file: "{{ openstacksdk_upper_constraints_file }}" + ironic_inspector_auth_type: "{{ openstack_auth_type }}" + ironic_inspector_auth: "{{ openstack_auth_system_scope }}" + ironic_inspector_cacert: "{{ openstack_cacert }}" + ironic_inspector_interface: "{{ openstack_interface }}" + ironic_inspector_rules: "{{ inspector_rules }}" + # These variables may be referenced in the introspection rules. + inspector_rule_var_ipmi_username: "{{ inspector_ipmi_username }}" + inspector_rule_var_ipmi_password: "{{ inspector_ipmi_password }}" + inspector_rule_var_redfish_username: "{{ inspector_redfish_username }}" + inspector_rule_var_redfish_password: "{{ inspector_redfish_password }}" + inspector_rule_var_lldp_switch_port_interface: "{{ inspector_lldp_switch_port_interface_default }}" + inspector_rule_var_deploy_kernel: "{{ ipa_kernel_id.stdout }}" + inspector_rule_var_deploy_ramdisk: "{{ ipa_ramdisk_id.stdout }}" diff --git a/ansible/roles/ironic-inspector-rules/defaults/main.yml b/ansible/roles/ironic-inspector-rules/defaults/main.yml index ee38abae1..fd36cc0cf 100644 --- a/ansible/roles/ironic-inspector-rules/defaults/main.yml +++ b/ansible/roles/ironic-inspector-rules/defaults/main.yml @@ -2,7 +2,7 @@ # Path to a directory in which to create a virtualenv. ironic_inspector_venv: -# Upper constraints file for installation of python-ironic-inspector-client. +# Upper constraints file for installation of python-ironicclient. ironic_inspector_upper_constraints_file: # Authentication type. diff --git a/ansible/roles/ironic-inspector-rules/library/os_ironic_inspector_rule.py b/ansible/roles/ironic-inspector-rules/library/os_ironic_inspector_rule.py index 5db8f8088..c84743a51 100644 --- a/ansible/roles/ironic-inspector-rules/library/os_ironic_inspector_rule.py +++ b/ansible/roles/ironic-inspector-rules/library/os_ironic_inspector_rule.py @@ -53,6 +53,10 @@ description: - List of actions to be taken when the conditions are met. required: true + sensitive: + description: + - Whether to mark the rule as sensitive in Ironic + required: false """ EXAMPLES = """ @@ -74,13 +78,13 @@ def _get_client(module, cloud): """Return an Ironic inspector client.""" - return cloud.baremetal_introspection + return cloud.baremetal def _ensure_rule_present(module, client): """Ensure that an inspector rule is present.""" if module.params['uuid']: - response = client.get('/rules/{}'.format(module.params['uuid'])) + response = client.get('/inspection_rules/{}'.format(module.params['uuid']), headers={'X-OpenStack-Ironic-API-Version': '1.96'}) if not response.ok: if response.status_code != 404: module.fail_json(msg="Failed retrieving Inspector rule %s: %s" @@ -88,7 +92,7 @@ def _ensure_rule_present(module, client): else: rule = response.json() # Check whether the rule differs from the request. - keys = ('conditions', 'actions', 'description') + keys = ('conditions', 'actions', 'description', 'sensitive') for key in keys: expected = module.params[key] if key == 'conditions': @@ -96,9 +100,10 @@ def _ensure_rule_present(module, client): # conditions that may not be in the requested rule. Apply # defaults to allow the comparison to succeed. expected = copy.deepcopy(expected) + if key == 'actions': + expected = copy.deepcopy(expected) for condition in expected: - condition.setdefault('invert', False) - condition.setdefault('multiple', 'any') + condition.setdefault('loop', []) if rule[key] != expected: break else: @@ -111,9 +116,10 @@ def _ensure_rule_present(module, client): "conditions": module.params['conditions'], "actions": module.params['actions'], "description": module.params['description'], + "sensitive": module.params['sensitive'], "uuid": module.params['uuid'], } - response = client.post("/rules", json=rule) + response = client.post("/inspection_rules", json=rule, headers={'X-OpenStack-Ironic-API-Version': '1.96'}) if not response.ok: module.fail_json(msg="Failed creating Inspector rule %s: %s" % (module.params['uuid'], response.text)) @@ -124,7 +130,7 @@ def _ensure_rule_absent(module, client): """Ensure that an inspector rule is absent.""" if not module.params['uuid']: module.fail_json(msg="UUID is required to ensure rules are absent") - response = client.delete("/rules/{}".format(module.params['uuid'])) + response = client.delete("/inspection_rules/{}".format(module.params['uuid']), headers={'X-OpenStack-Ironic-API-Version': '1.96'}) if not response.ok: # If the rule does not exist, no problem and no change. if response.status_code == 404: @@ -140,6 +146,7 @@ def main(): actions=dict(type='list', required=True), description=dict(required=False), uuid=dict(required=False), + sensitive=dict(type='bool', required=False, default=False), state=dict(required=False, default='present', choices=['present', 'absent']), ) diff --git a/ansible/roles/ironic-inspector-rules/tasks/main.yml b/ansible/roles/ironic-inspector-rules/tasks/main.yml index 93fbe7fcb..41a1aab7e 100644 --- a/ansible/roles/ironic-inspector-rules/tasks/main.yml +++ b/ansible/roles/ironic-inspector-rules/tasks/main.yml @@ -8,9 +8,12 @@ cacert: "{{ ironic_inspector_cacert | default(omit, true) }}" cloud: "{{ ironic_inspector_cloud | default(omit, true) }}" interface: "{{ ironic_inspector_interface | default(omit, true) }}" - conditions: "{{ item.conditions }}" - actions: "{{ item.actions }}" - description: "{{ item.description | default(omit) }}" - uuid: "{{ item.uuid | default(item.description | to_uuid) | default(omit) }}" + conditions: "{{ ironic_inspector_rules[item].conditions }}" + actions: "{{ ironic_inspector_rules[item].actions }}" + description: "{{ ironic_inspector_rules[item].description | default(omit) }}" + uuid: "{{ ironic_inspector_rules[item].uuid | default(ironic_inspector_rules[item].description | to_uuid) | default(omit) }}" + sensitive: "{{ ironic_inspector_rules[item].sensitive | default(omit) }}" state: present - with_items: "{{ ironic_inspector_rules }}" + loop_control: + label: "{{ ironic_inspector_rules[item].description }}" + with_items: "{{ range(0, ironic_inspector_rules | length) | list }}" diff --git a/ansible/roles/kolla-ansible/templates/kolla/globals.yml b/ansible/roles/kolla-ansible/templates/kolla/globals.yml index a1a01451d..ccc37cddf 100644 --- a/ansible/roles/kolla-ansible/templates/kolla/globals.yml +++ b/ansible/roles/kolla-ansible/templates/kolla/globals.yml @@ -403,7 +403,7 @@ ironic_dnsmasq_dhcp_ranges: {% endif %} {% endif %} {% if kolla_inspector_extra_kernel_options %} -ironic_inspector_kernel_cmdline_extras: +ironic_kernel_cmdline_extras: {{ kolla_inspector_extra_kernel_options | to_nice_yaml }} {% endif %} # PXE bootloader file for Ironic Inspector, relative to /var/lib/ironic/tftpboot. diff --git a/ansible/roles/kolla-bifrost/defaults/main.yml b/ansible/roles/kolla-bifrost/defaults/main.yml index ae2e5fa47..eff98ea8f 100644 --- a/ansible/roles/kolla-bifrost/defaults/main.yml +++ b/ansible/roles/kolla-bifrost/defaults/main.yml @@ -42,7 +42,7 @@ kolla_bifrost_dnsmasq_dns_servers: [] kolla_bifrost_domain: # List of of inspector processing plugins. -kolla_bifrost_inspector_processing_hooks: +kolla_bifrost_inspector_hooks: # Which MAC addresses to add as ports during introspection. One of 'all', # 'active' or 'pxe'. diff --git a/ansible/roles/kolla-bifrost/templates/kolla/config/bifrost/bifrost.yml b/ansible/roles/kolla-bifrost/templates/kolla/config/bifrost/bifrost.yml index 5269328fe..e1e671b67 100644 --- a/ansible/roles/kolla-bifrost/templates/kolla/config/bifrost/bifrost.yml +++ b/ansible/roles/kolla-bifrost/templates/kolla/config/bifrost/bifrost.yml @@ -28,9 +28,9 @@ dnsmasq_dns_servers: "{{ kolla_bifrost_dnsmasq_dns_servers | join(',') }}" domain: "{{ kolla_bifrost_domain }}" {% endif %} -{% if kolla_bifrost_inspector_processing_hooks %} +{% if kolla_bifrost_inspector_hooks %} # Comma-separated list of inspector processing plugins. -inspector_processing_hooks: "{{ kolla_bifrost_inspector_processing_hooks | join(',') }}" +inspector_hooks: "{{ kolla_bifrost_inspector_hooks | join(',') }}" {% endif %} {% if kolla_bifrost_inspector_port_addition %} diff --git a/ansible/roles/kolla-openstack/defaults/main.yml b/ansible/roles/kolla-openstack/defaults/main.yml index c326bd838..0fabde950 100644 --- a/ansible/roles/kolla-openstack/defaults/main.yml +++ b/ansible/roles/kolla-openstack/defaults/main.yml @@ -567,7 +567,9 @@ kolla_extra_ironic: # Ironic inspector configuration. # Comma-separated list of inspector processing plugins. -kolla_inspector_processing_hooks: + +# Comma-separated list of inspector processing plugins for built-in inspector +kolla_inspector_hooks: # Which MAC addresses to add as ports during introspection. One of 'all', # 'active' or 'pxe'. diff --git a/ansible/roles/kolla-openstack/templates/kolla/config/ironic.conf b/ansible/roles/kolla-openstack/templates/kolla/config/ironic.conf index cbb8ca683..3961eb631 100644 --- a/ansible/roles/kolla-openstack/templates/kolla/config/ironic.conf +++ b/ansible/roles/kolla-openstack/templates/kolla/config/ironic.conf @@ -1,4 +1,11 @@ [DEFAULT] +enabled_inspect_interfaces = redfish,no-inspect,agent +{% if kolla_inspector_enable_discovery | bool %} +# Setting default_inspect_interface is required for the inspection flow to +# continue correctly after the node creation. See: +# https://docs.openstack.org/ironic/latest/admin/inspection/discovery.html +default_inspect_interface = agent +{% endif %} {% if kolla_ironic_enabled_hardware_types %} enabled_hardware_types: {{ kolla_ironic_enabled_hardware_types | join(',') }} {% endif %} @@ -37,6 +44,31 @@ kernel_append_params = {{ kolla_ironic_pxe_append_params | join(' ') }} tftp_server = {{ hostvars[inventory_hostname].ansible_facts[api_interface | replace('-', '_')]['ipv4']['address'] }} {% endraw %} +[auto_discovery] +enabled = {{ kolla_inspector_enable_discovery }} +driver = {{ kolla_inspector_discovery_enroll_node_driver }} + +[inspector] +{% if kolla_inspector_enable_discovery | bool %} +# Under unmanaged inspection we understand in-band inspection where the boot +# configuration (iPXE scripts, DHCP options, etc) is not provided by the Bare +# Metal service. In this case, the node is simply set to boot from network and +# powered on. See: +# https://docs.openstack.org/ironic/latest/admin/inspection/managed.html#unmanaged-inspection +require_managed_boot = False +{% endif %} +{% if kolla_inspector_add_ports %} +add_ports = {{ kolla_inspector_add_ports }} +{% endif %} + +{% if kolla_inspector_keep_ports %} +keep_ports = {{ kolla_inspector_keep_ports }} +{% endif %} + +{% if kolla_inspector_hooks %} +hooks = {{ kolla_inspector_hooks | join(',') }} +{% endif %} + {% if kolla_extra_ironic %} ####################### # Extra configuration diff --git a/ansible/seed-introspection-rules.yml b/ansible/seed-introspection-rules.yml index ca92bdd13..edcb031bf 100644 --- a/ansible/seed-introspection-rules.yml +++ b/ansible/seed-introspection-rules.yml @@ -19,4 +19,4 @@ inspector_rule_var_lldp_switch_port_interface: "{{ kolla_bifrost_inspector_lldp_switch_port_interface }}" inspector_rule_var_deploy_kernel: "{{ kolla_bifrost_inspector_deploy_kernel }}" inspector_rule_var_deploy_ramdisk: "{{ kolla_bifrost_inspector_deploy_ramdisk }}" - when: kolla_enable_bifrost | bool and false # TODO(priteau): Re-enable with built-in inspection + when: kolla_enable_bifrost | bool diff --git a/dev/functions b/dev/functions index 4a627e2a9..907151f10 100644 --- a/dev/functions +++ b/dev/functions @@ -563,9 +563,9 @@ function overcloud_test_init { environment_setup if [[ ! -z "$UPPER_CONSTRAINTS_FILE" ]]; then - pip install python-openstackclient -c "$UPPER_CONSTRAINTS_FILE" + pip install python-openstackclient python-ironicclient -c "$UPPER_CONSTRAINTS_FILE" else - pip install python-openstackclient + pip install python-openstackclient python-ironicclient fi source "${KOLLA_CONFIG_PATH:-/etc/kolla}/admin-openrc.sh" diff --git a/doc/source/configuration/reference/bifrost.rst b/doc/source/configuration/reference/bifrost.rst index 4180dd3da..cbd3e738e 100644 --- a/doc/source/configuration/reference/bifrost.rst +++ b/doc/source/configuration/reference/bifrost.rst @@ -268,9 +268,9 @@ Ironic Inspector configuration The following options configure the Ironic Inspector service in the ``bifrost-deploy`` container. -``kolla_bifrost_inspector_processing_hooks`` +``kolla_bifrost_inspector_hooks`` List of of inspector processing plugins. Default is ``{{ - inspector_processing_hooks }}``, defined in + inspector_hooks }}``, defined in ``${KAYOBE_CONFIG_PATH}/inspector.yml``. ``kolla_bifrost_inspector_port_addition`` Which MAC addresses to add as ports during introspection. One of ``all``, diff --git a/etc/kayobe/bifrost.yml b/etc/kayobe/bifrost.yml index 8c5e9a501..4150e6600 100644 --- a/etc/kayobe/bifrost.yml +++ b/etc/kayobe/bifrost.yml @@ -90,7 +90,7 @@ # Ironic Inspector configuration. # List of of inspector processing plugins. -#kolla_bifrost_inspector_processing_hooks: +#kolla_bifrost_inspector_hooks: # Which MAC addresses to add as ports during introspection. One of 'all', # 'active' or 'pxe'. diff --git a/etc/kayobe/inspector.yml b/etc/kayobe/inspector.yml index 713751dfc..926316b71 100644 --- a/etc/kayobe/inspector.yml +++ b/etc/kayobe/inspector.yml @@ -31,32 +31,40 @@ #inspector_ipa_ramdisk_checksum_algorithm: ############################################################################### -# Ironic inspector processing configuration. +# Ironic inspector processing configuration for the inspector implementation +# built-in to Ironic. -# List of of default inspector processing plugins. -#inspector_processing_hooks_default: +# List of hooks to enable for inspection. Default is [$default_hooks, memory, +# boot-mode, cpu-capabilities, pci-devices, parse-lldp]. +#inspector_hooks_default: -# List of of additional inspector processing plugins. -#inspector_processing_hooks_extra: +# List of extra inspection hooks to enable. Default is an empty list. +#inspector_hooks_extra: -# List of of additional inspector processing plugins. -#inspector_processing_hooks: +# List of of additional inspector hooks to enable. Default is +# {{ inspector_hooks_default + inspector_hooks_extra }}. +#inspector_hooks: + +############################################################################### +# Common Ironic Inspector processing configuration. # Which MAC addresses to add as ports during introspection. One of 'all', -# 'active' or 'pxe'. +# 'active' or 'pxe'. Default is 'pxe'. #inspector_add_ports: # Which ports to keep after introspection. One of 'all', 'present', or 'added'. +# Default is 'added'. #inspector_keep_ports: -# Whether to enable discovery of nodes not managed by Ironic. +# Whether to enable discovery of nodes not managed by Ironic. Default is true. #inspector_enable_discovery: -# The Ironic driver with which to register newly discovered nodes. +# The Ironic driver with which to register newly discovered nodes. Default is +# 'ipmi'. #inspector_discovery_enroll_node_driver: ############################################################################### -# Ironic inspector configuration. +# Ironic inspector introspection rules configuration. # Ironic inspector option to enable IPMI rules. Set to 'True' by default. #inspector_rules_ipmi_enabled: @@ -90,9 +98,6 @@ # Redfish CA setting. Set to 'True' by default #inspector_rule_var_redfish_verify_ca: -############################################################################### -# Ironic inspector introspection rules configuration. - # Ironic inspector rule to set IPMI credentials. #inspector_rule_ipmi_credentials: @@ -102,9 +107,6 @@ # Ironic inspector rule to set deployment ramdisk. #inspector_rule_deploy_ramdisk: -# Ironic inspector rule to initialise root device hints. -#inspector_rule_root_hint_init: - # Ironic inspector rule to set serial root device hint. #inspector_rule_root_hint_serial: diff --git a/playbooks/kayobe-overcloud-base/run.yml b/playbooks/kayobe-overcloud-base/run.yml index cdc3828e2..76ecd8af6 100644 --- a/playbooks/kayobe-overcloud-base/run.yml +++ b/playbooks/kayobe-overcloud-base/run.yml @@ -41,7 +41,6 @@ cmd: dev/overcloud-test-baremetal.sh &> {{ logs_dir }}/ansible/overcloud-test-baremetal chdir: "{{ kayobe_src_dir }}" executable: /bin/bash - when: false # TODO(priteau): Re-enable with built-in inspection - name: Register dummy baremetal compute nodes shell: diff --git a/playbooks/kayobe-overcloud-upgrade-base/run.yml b/playbooks/kayobe-overcloud-upgrade-base/run.yml index 03d5e3e72..820536979 100644 --- a/playbooks/kayobe-overcloud-upgrade-base/run.yml +++ b/playbooks/kayobe-overcloud-upgrade-base/run.yml @@ -109,7 +109,6 @@ cmd: dev/overcloud-test-baremetal.sh &> {{ logs_dir }}/ansible/overcloud-test-bm-post-upgrade chdir: "{{ kayobe_src_dir }}" executable: /bin/bash - when: false # TODO(priteau): Re-enable with built-in inspection environment: KAYOBE_CONFIG_SOURCE_PATH: "{{ kayobe_config_src_dir }}" diff --git a/releasenotes/notes/adds-support-for-configuring-builtin-inspector-04ab4ea4f1a1c3c8.yaml b/releasenotes/notes/adds-support-for-configuring-builtin-inspector-04ab4ea4f1a1c3c8.yaml new file mode 100644 index 000000000..a721182c8 --- /dev/null +++ b/releasenotes/notes/adds-support-for-configuring-builtin-inspector-04ab4ea4f1a1c3c8.yaml @@ -0,0 +1,26 @@ +--- +upgrade: + - | + ``inspector_processing_hooks`` has been removed. A new variable named + ``inspector_hooks`` has been introduced to to replace it since the names of + the hooks differ between standalone and built-in implementations. See + :ironic-doc:`Ironic documentation ` for + more details. + - | + Support for standalone inspector has been removed. All Ironic nodes will + need to be migrated from the ``inspector`` inspect-interface to ``agent``. + It is recommended that you do this after upgrading, but you will need to + ensure that you add ``inspector`` and ``agent`` to + ``kolla_ironic_enabled_inspect_interfaces`` for the upgrade. Check that + ``kolla_ironic_default_inspect_interface`` is not set to ``inspector``. + See :ironic-doc:`Ironic documentation ` for + more details. + - | + The format of inspection rules has changed. Any custom rules will need + to be updated to the new format. See + :ironic-doc:`Ironic documentation ` + for more details. + - | + The format of the data output from ``kayobe baremetal compute introspection + data save`` and ``kayobe overcloud introspection data save`` has changed. + You may need to update any tooling that is using this data. diff --git a/requirements.yml b/requirements.yml index 2490a5bcb..68c92d3a2 100644 --- a/requirements.yml +++ b/requirements.yml @@ -22,7 +22,7 @@ collections: - name: stackhpc.network version: 1.0.0 - name: stackhpc.openstack - version: 0.2.2 + version: 0.6.0 roles: - src: ahuffman.resolv From ee2657d3ba99eb79a682d007013dad9c3b1c8ed3 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 14 Nov 2025 13:09:16 +0100 Subject: [PATCH 112/187] Fix comment in globals.yml Change-Id: I7611e4798d3dd27f4193f07e02e9e664229fd451 Signed-off-by: Pierre Riteau --- etc/kayobe/globals.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/etc/kayobe/globals.yml b/etc/kayobe/globals.yml index 13f340e57..498b5886b 100644 --- a/etc/kayobe/globals.yml +++ b/etc/kayobe/globals.yml @@ -51,7 +51,6 @@ # OS release. Valid options are "10-stream" when os_distribution is "centos", # "10" when os_distribution is "rocky", or "noble" when os_distribution is # "ubuntu". -# os_distribution is "ubuntu". #os_release: ############################################################################### From 72339426eaa4152d31a4a93de3e604bb9db1d5ef Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 14 Nov 2025 13:32:58 +0100 Subject: [PATCH 113/187] [release] Fix release notes for 2025.2 Change-Id: I74a1a56525ec7d7ae36cca634b425e045dd6a42a Signed-off-by: Pierre Riteau --- ...-args-for-virtual-media-1446188235feaaac.yaml | 16 +++++++--------- .../notes/bug-2121588-ad6d8b33e3fcaff9.yaml | 2 +- ...on-algorithm-to-zstd-19-b3860e0a24ca824e.yaml | 2 +- ...x-baremetal-serial-venv-946b4b7dd191662b.yaml | 4 ++-- ...orking-dir-url-encoding-5f50d66547858e37.yaml | 3 +-- ...onic-inspection-network-6cd3977447492236.yaml | 2 +- ...t-centos-stream-9-image-d23c5a3f5c3a3914.yaml | 5 ----- 7 files changed, 13 insertions(+), 21 deletions(-) delete mode 100644 releasenotes/notes/use-latest-centos-stream-9-image-d23c5a3f5c3a3914.yaml diff --git a/releasenotes/notes/add-redfish-pxe-args-for-virtual-media-1446188235feaaac.yaml b/releasenotes/notes/add-redfish-pxe-args-for-virtual-media-1446188235feaaac.yaml index 24837912e..1f167ece2 100644 --- a/releasenotes/notes/add-redfish-pxe-args-for-virtual-media-1446188235feaaac.yaml +++ b/releasenotes/notes/add-redfish-pxe-args-for-virtual-media-1446188235feaaac.yaml @@ -1,12 +1,10 @@ --- features: - | - Adds support for Redfish virtual media and - PXE boot using a common set of variables. - Migration to using - ``kolla_ironic_kernel_append_params`` is - advised. - New boot variables are: - kolla_ironic_kernel_append_params, - kolla_ironic_kernel_append_params_default, - kolla_ironic_kernel_append_params_extra. + Adds support for Redfish virtual media and PXE boot using a common set of + variables. Migration to using ``kolla_ironic_kernel_append_params`` is + advised. New boot variables are: + + * ``kolla_ironic_kernel_append_params`` + * ``kolla_ironic_kernel_append_params_default`` + * ``kolla_ironic_kernel_append_params_extra`` diff --git a/releasenotes/notes/bug-2121588-ad6d8b33e3fcaff9.yaml b/releasenotes/notes/bug-2121588-ad6d8b33e3fcaff9.yaml index ac5424b7f..ff8b82e06 100644 --- a/releasenotes/notes/bug-2121588-ad6d8b33e3fcaff9.yaml +++ b/releasenotes/notes/bug-2121588-ad6d8b33e3fcaff9.yaml @@ -1,6 +1,6 @@ --- fixes: - | - Fixes CentOS Stream 9 seed and infra VMs not booting by switching to an + Fixes CentOS Stream seed and infra VMs not booting by switching to an EFI-compatible image. `LP#2121588 `__ diff --git a/releasenotes/notes/change-IPA-compression-algorithm-to-zstd-19-b3860e0a24ca824e.yaml b/releasenotes/notes/change-IPA-compression-algorithm-to-zstd-19-b3860e0a24ca824e.yaml index bf4576bb2..1942bd165 100644 --- a/releasenotes/notes/change-IPA-compression-algorithm-to-zstd-19-b3860e0a24ca824e.yaml +++ b/releasenotes/notes/change-IPA-compression-algorithm-to-zstd-19-b3860e0a24ca824e.yaml @@ -11,4 +11,4 @@ upgrade: default ``gzip`` to ``zstd``. The ``ipa_build_dib_env_default`` dictionary now includes ``DIB_IPA_COMPRESS_CMD`` set to ``zstd -19``. The default ``ipa_build_dib_host_packages_extra`` has been changed from - none to ``['zstd']``. \ No newline at end of file + none to ``['zstd']``. diff --git a/releasenotes/notes/fix-baremetal-serial-venv-946b4b7dd191662b.yaml b/releasenotes/notes/fix-baremetal-serial-venv-946b4b7dd191662b.yaml index 71e999ee6..eedc72012 100644 --- a/releasenotes/notes/fix-baremetal-serial-venv-946b4b7dd191662b.yaml +++ b/releasenotes/notes/fix-baremetal-serial-venv-946b4b7dd191662b.yaml @@ -1,5 +1,5 @@ --- fixes: - | - Call virtualenv as a Python module during baremetal compute serial console - setup to fix ``executable not found`` error on Rocky Linux. + Fixes ``executable not found`` errors on Rocky Linux by calling virtualenv + as a Python module during baremetal compute serial console setup. diff --git a/releasenotes/notes/fix-working-dir-url-encoding-5f50d66547858e37.yaml b/releasenotes/notes/fix-working-dir-url-encoding-5f50d66547858e37.yaml index a7ed09bd2..f5a4ebae0 100644 --- a/releasenotes/notes/fix-working-dir-url-encoding-5f50d66547858e37.yaml +++ b/releasenotes/notes/fix-working-dir-url-encoding-5f50d66547858e37.yaml @@ -1,7 +1,6 @@ --- fixes: - | - Fixes a issue where the working directory contains symbols such - as @. + Fixes an issue where the working directory contains symbols such as ``@``. The previous behaviour tries to load files with url encoded symbols. `LP#2129687 `__ diff --git a/releasenotes/notes/kolla-ironic-inspection-network-6cd3977447492236.yaml b/releasenotes/notes/kolla-ironic-inspection-network-6cd3977447492236.yaml index 04187c12f..605d473a8 100644 --- a/releasenotes/notes/kolla-ironic-inspection-network-6cd3977447492236.yaml +++ b/releasenotes/notes/kolla-ironic-inspection-network-6cd3977447492236.yaml @@ -3,4 +3,4 @@ features: - | Adds support for ``kolla_ironic_inspection_network`` which will be created in Neutron for Ironic Inspection purposes (defaults to using provisioning - network for backwards compatibility).. + network for backwards compatibility). diff --git a/releasenotes/notes/use-latest-centos-stream-9-image-d23c5a3f5c3a3914.yaml b/releasenotes/notes/use-latest-centos-stream-9-image-d23c5a3f5c3a3914.yaml deleted file mode 100644 index 82e8b0520..000000000 --- a/releasenotes/notes/use-latest-centos-stream-9-image-d23c5a3f5c3a3914.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -upgrade: - - | - Updates the default cloud image for CentOS Stream 9 deployments to use - ``CentOS-Stream-GenericCloud-9-latest.x86_64.qcow2``. From 5c7669a873f3753a59acf046d576d5a4ccb6e186 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 14 Nov 2025 22:30:27 +0100 Subject: [PATCH 114/187] Fix versions in Ansible bump release note Change-Id: I4c81811ef7c56b9082bc5ffb6064367e2aa12adf Signed-off-by: Pierre Riteau --- releasenotes/notes/bump-ansible-12-536bc4a3ff55dc3b.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/releasenotes/notes/bump-ansible-12-536bc4a3ff55dc3b.yaml b/releasenotes/notes/bump-ansible-12-536bc4a3ff55dc3b.yaml index 5901b6a26..90ee0665e 100644 --- a/releasenotes/notes/bump-ansible-12-536bc4a3ff55dc3b.yaml +++ b/releasenotes/notes/bump-ansible-12-536bc4a3ff55dc3b.yaml @@ -1,6 +1,6 @@ --- upgrade: - | - Updates the maximum supported version of Ansible from 12 (ansible-core - 2.18) to 13 (ansible-core 2.19). The minimum supported version is updated + Updates the maximum supported version of Ansible from 11 (ansible-core + 2.18) to 12 (ansible-core 2.19). The minimum supported version is updated from 10.x to 11.x. This is true for both Kayobe and Kolla Ansible. From 191e4d9899105bb49a2298e7ffb4cf60b5a80743 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Mon, 17 Nov 2025 12:06:30 +0100 Subject: [PATCH 115/187] Bump minimum Python version to 3.12 We require ansible>=11 which needs Python >=3.11. Since all our supported distributions have Python 3.12 as default, make this the minimum. Change-Id: I8699acef0e88618f86fe854be170d885fc1ab8c8 Signed-off-by: Pierre Riteau --- .../notes/drop-python310-and-311-b284d9a4d8d91324.yaml | 5 +++++ setup.cfg | 4 +--- 2 files changed, 6 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/drop-python310-and-311-b284d9a4d8d91324.yaml diff --git a/releasenotes/notes/drop-python310-and-311-b284d9a4d8d91324.yaml b/releasenotes/notes/drop-python310-and-311-b284d9a4d8d91324.yaml new file mode 100644 index 000000000..e72c8148a --- /dev/null +++ b/releasenotes/notes/drop-python310-and-311-b284d9a4d8d91324.yaml @@ -0,0 +1,5 @@ +--- +upgrade: + - | + Python 3.10 and 3.11 are no longer supported on the control host. Use + Python 3.12 as a minimum version for the Kayobe virtualenv. diff --git a/setup.cfg b/setup.cfg index 46ea41577..2074f6b29 100644 --- a/setup.cfg +++ b/setup.cfg @@ -6,7 +6,7 @@ description_file = author = OpenStack author_email = openstack-discuss@lists.openstack.org home_page = https://docs.openstack.org/kayobe/latest/ -python_requires = >=3.10 +python_requires = >=3.12 license = Apache License, Version 2.0 classifier = Environment :: OpenStack @@ -18,8 +18,6 @@ classifier = Programming Language :: Python :: Implementation :: CPython Programming Language :: Python :: 3 :: Only Programming Language :: Python :: 3 - Programming Language :: Python :: 3.10 - Programming Language :: Python :: 3.11 Programming Language :: Python :: 3.12 [files] From 85a0356cbab068026ab03214a7dac7629dca294e Mon Sep 17 00:00:00 2001 From: John Garbutt Date: Mon, 8 Sep 2025 17:36:54 +0100 Subject: [PATCH 116/187] Move nvidia.nvue to 1.2.9 for cumulus 5.13 Changed switch config started creating errors on cumulus 5.13 onwards. Bumping the collection version to bring in this fix: https://gitlab.com/nvidia-networking/systems-engineering/nvue/-/commit/adfc6829ee0fadbcd5273a7635f26d6a79b44eab Change-Id: Ib92ae8807a5f22090d3025ff93d279004e686870 Closes-Bug: #2131677 Signed-off-by: John Garbutt --- .../notes/fixes-cumulus-5.13-74e0d08675404f46.yaml | 7 +++++++ requirements.yml | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/fixes-cumulus-5.13-74e0d08675404f46.yaml diff --git a/releasenotes/notes/fixes-cumulus-5.13-74e0d08675404f46.yaml b/releasenotes/notes/fixes-cumulus-5.13-74e0d08675404f46.yaml new file mode 100644 index 000000000..34401e5cf --- /dev/null +++ b/releasenotes/notes/fixes-cumulus-5.13-74e0d08675404f46.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + Bumps version of ``nvidia.nvue`` Ansible collection from ``1.2.6`` to + ``1.2.9``. This fixes an issue where switch configuration could not be + applied to switches running Cumulus Linux 5.13. See `LP#2131677 + `__ for more details. diff --git a/requirements.yml b/requirements.yml index d51d5eeb8..7d40cf35f 100644 --- a/requirements.yml +++ b/requirements.yml @@ -8,7 +8,7 @@ collections: - name: dellemc.os10 version: 1.2.7 - name: nvidia.nvue - version: 1.2.6 + version: 1.2.9 - name: openstack.cloud version: '<3' - name: stackhpc.linux From 0363434c167a859db636e0cb9f65249c4ad111f4 Mon Sep 17 00:00:00 2001 From: OpenStack Release Bot Date: Tue, 18 Nov 2025 09:46:45 +0000 Subject: [PATCH 117/187] Update master for stable/2025.2 Add file to the reno documentation build to show release notes for stable/2025.2. Use pbr instruction to increment the minor version number automatically so that master versions are higher than the versions on stable/2025.2. Sem-Ver: feature Change-Id: I5af09b2392f738f853e8eca2e3a56bdc2ac7b6f7 Signed-off-by: OpenStack Release Bot Generated-By: openstack/project-config:roles/copy-release-tools-scripts/files/release-tools/add_release_note_page.sh --- releasenotes/source/2025.2.rst | 6 ++++++ releasenotes/source/index.rst | 1 + 2 files changed, 7 insertions(+) create mode 100644 releasenotes/source/2025.2.rst diff --git a/releasenotes/source/2025.2.rst b/releasenotes/source/2025.2.rst new file mode 100644 index 000000000..4dae18d86 --- /dev/null +++ b/releasenotes/source/2025.2.rst @@ -0,0 +1,6 @@ +=========================== +2025.2 Series Release Notes +=========================== + +.. release-notes:: + :branch: stable/2025.2 diff --git a/releasenotes/source/index.rst b/releasenotes/source/index.rst index 4a413860a..6cd206129 100644 --- a/releasenotes/source/index.rst +++ b/releasenotes/source/index.rst @@ -6,6 +6,7 @@ Kayobe Release Notes :maxdepth: 1 unreleased + 2025.2 2025.1 2024.2 2024.1 From ddccfb1679bc612434d86c72f09a74dd9e42df29 Mon Sep 17 00:00:00 2001 From: Jack Hodgkiss Date: Sun, 3 Aug 2025 12:46:40 +0100 Subject: [PATCH 118/187] feat: add command to view passwords Quality of life improvement to make viewing the contents of `kolla/passwords.yml` with the introduction of a kayobe command that removes the need to provide an absolute or relative path to the `ansible-vault` encrypted passwords file. Change-Id: I9c3b78cfba1676d75f829cd5bd5b5dc05fd52dbc Signed-off-by: Jack Hodgkiss --- doc/source/usage.rst | 10 ++++++++++ kayobe/cli/commands.py | 8 ++++++++ kayobe/vault.py | 19 +++++++++++++++++++ ...sswords-view-command-2f55d83dca037e3d.yaml | 5 +++++ setup.cfg | 3 +++ 5 files changed, 45 insertions(+) create mode 100644 releasenotes/notes/add-passwords-view-command-2f55d83dca037e3d.yaml diff --git a/doc/source/usage.rst b/doc/source/usage.rst index a311490dc..70581eb9e 100644 --- a/doc/source/usage.rst +++ b/doc/source/usage.rst @@ -48,6 +48,16 @@ Environment variable: ``ANSIBLE_VAULT_PASSWORD_FILE`` password from a (plain text) file, with the path to that file being read from the environment. +Whilst the kolla passwords file ``kolla/passwords.yml`` should remain encrypted +at all times it can be useful to view the contents of this file to acquire a +password for a given service. +This can be done with ``ansible-vault view`` however if an absolute path is not +provided it will cause the command to fail. +Therefore, to make reading the contents of this file easier for administrators +it is possible to use ``kayobe overcloud passwords view`` which will +temporarily decrypt and display the contents of ``kolla/passwords.yml`` for the +active kayobe environment. + Limiting Hosts -------------- diff --git a/kayobe/cli/commands.py b/kayobe/cli/commands.py index be233af7f..2c9cb97a0 100644 --- a/kayobe/cli/commands.py +++ b/kayobe/cli/commands.py @@ -1579,6 +1579,14 @@ def take_action(self, parsed_args): self.run_kolla_ansible_overcloud(parsed_args, "prechecks") +class OvercloudServicePasswordsView(KayobeAnsibleMixin, VaultMixin, Command): + """View Passwords.""" + + def take_action(self, parsed_args): + self.app.LOG.debug("Displaying Passwords") + vault.view_passwords(parsed_args) + + class OvercloudServiceReconfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin, Command): """Reconfigure the overcloud services. diff --git a/kayobe/vault.py b/kayobe/vault.py index 82bc0f208..3a4d32b9b 100644 --- a/kayobe/vault.py +++ b/kayobe/vault.py @@ -172,3 +172,22 @@ def update_environment(parsed_args, env): if vault_password is not None: env[VAULT_PASSWORD_ENV] = vault_password + + +def view_passwords(parsed_args): + """View passwords stored in the Ansible Vault. + + :param parsed_args: Parsed command line arguments. + """ + env_path = utils.get_kayobe_environment_path( + parsed_args.config_path, parsed_args.environment) + path = env_path if env_path else parsed_args.config_path + passwords_path = os.path.join(path, 'kolla', 'passwords.yml') + cmd = ["ansible-vault", "view", passwords_path] + cmd += ["--vault-password-file", _get_vault_password_helper()] + try: + utils.run_command(cmd) + except subprocess.CalledProcessError as e: + LOG.error("Failed to view passwords via ansible-vault " + "returncode %d", e.returncode) + sys.exit(e.returncode) diff --git a/releasenotes/notes/add-passwords-view-command-2f55d83dca037e3d.yaml b/releasenotes/notes/add-passwords-view-command-2f55d83dca037e3d.yaml new file mode 100644 index 000000000..b908fb105 --- /dev/null +++ b/releasenotes/notes/add-passwords-view-command-2f55d83dca037e3d.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Add support for easily viewing the content of ``kolla/passwords.yml`` with + the new command ``kayobe overcloud passwords view``. diff --git a/setup.cfg b/setup.cfg index 2074f6b29..82526ed5b 100644 --- a/setup.cfg +++ b/setup.cfg @@ -75,6 +75,7 @@ kayobe.cli= overcloud_service_deploy = kayobe.cli.commands:OvercloudServiceDeploy overcloud_service_deploy_containers = kayobe.cli.commands:OvercloudServiceDeployContainers overcloud_service_destroy = kayobe.cli.commands:OvercloudServiceDestroy + overcloud_service_passwords_view = kayobe.cli.commands:OvercloudServicePasswordsView overcloud_service_prechecks = kayobe.cli.commands:OvercloudServicePrechecks overcloud_service_reconfigure = kayobe.cli.commands:OvercloudServiceReconfigure overcloud_service_stop = kayobe.cli.commands:OvercloudServiceStop @@ -193,6 +194,8 @@ kayobe.cli.overcloud_service_upgrade = hooks = kayobe.cli.commands:HookDispatcher kayobe.cli.overcloud_swift_rings_generate = hooks = kayobe.cli.commands:HookDispatcher +kayobe.cli.overcloud_passwords_view = + hooks = kayobe.cli.commands:HookDispatcher kayobe.cli.physical_network_configure = hooks = kayobe.cli.commands:HookDispatcher kayobe.cli.playbook_run = From 4275c90eb511930dd9b327fcd3970824b70399b4 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 21 Nov 2025 11:35:26 +0100 Subject: [PATCH 119/187] Fix issues with inspection rules The by_path attribute from plugin data was being used with the root_device/name property, which failed to match. Revert to using serial, which was the original intent anyway. Check if root disk serial is not empty to avoid setting root_device to {'serial': 'None'} which would cause deploy failures. Fix syntax for accessing node data inside dictionaries: interpolation of "{node.driver_info.ipmi_username}" does not work, we need to use "{node.driver_info[ipmi_username]}" instead. Fix syntax for accessing inventory data: inventory is a ShallowMaskDict object, so we need to use "{inventory[system_vendor]}" instead of "{inventory.system_vendor}". Update all regular expressions to match and remove unneeded escaping of curly braces. Fix syntax for setting properties: the path needs to be "/driver_info/ipmi_username" instead of "driver_info/ipmi_username". Change-Id: I552f21c73a69340132244ea15089f01a2f9d20d0 Signed-off-by: Pierre Riteau --- ansible/inventory/group_vars/all/inspector | 101 +++++++++++---------- 1 file changed, 52 insertions(+), 49 deletions(-) diff --git a/ansible/inventory/group_vars/all/inspector b/ansible/inventory/group_vars/all/inspector index f74f39a09..b65faaf80 100644 --- a/ansible/inventory/group_vars/all/inspector +++ b/ansible/inventory/group_vars/all/inspector @@ -119,22 +119,24 @@ inspector_rule_ipmi_credentials: description: "Set IPMI driver_info if no credentials" conditions: - args: - value: "{node.driver_info.ipmi_username}" - regex: '\\{node\\.driver_info\\.ipmi_username\\}' + # If value matches itself as a regex, this is becaused interpolation + # failed which means the ipmi_username key was not set. + value: "{node.driver_info[ipmi_username]}" + regex: "{node\\.driver_info\\[ipmi_username\\]}" op: "matches" - args: - value: "{node.driver_info.ipmi_password}" - regex: '\\{node\\.driver_info\\.ipmi_password\\}' + value: "{node.driver_info[ipmi_password]}" + regex: "{node\\.driver_info\\[ipmi_password\\]}" op: "matches" sensitive: "true" actions: - op: "set-attribute" args: - path: "driver_info/ipmi_username" + path: "/driver_info/ipmi_username" value: "{{ inspector_rule_var_ipmi_username }}" - op: "set-attribute" args: - path: "driver_info/ipmi_password" + path: "/driver_info/ipmi_password" value: "{{ inspector_rule_var_ipmi_password }}" # Deployment kernel referenced by inspector rule. @@ -145,13 +147,13 @@ inspector_rule_deploy_kernel: description: "Set deploy kernel" conditions: - args: - value: "{node.driver_info.deploy_kernel}" - regex: '\\{node\\.driver_info\\.deploy_kernel\\}' + value: "{node.driver_info[deploy_kernel]}" + regex: "{node\\.driver_info\\[deploy_kernel\\]}" op: "matches" actions: - op: "set-attribute" args: - path: "driver_info/deploy_kernel" + path: "/driver_info/deploy_kernel" value: "{{ inspector_rule_var_deploy_kernel }}" # Deployment ramdisk referenced by inspector rule. @@ -162,13 +164,13 @@ inspector_rule_deploy_ramdisk: description: "Set deploy ramdisk" conditions: - args: - value: "{node.driver_info.deploy_ramdisk}" - regex: '\\{node\\.driver_info\\.deploy_ramdisk\\}' + value: "{node.driver_info[deploy_ramdisk]}" + regex: "{node\\.driver_info\\[deploy_ramdisk\\]}" op: "matches" actions: - op: "set-attribute" args: - path: "driver_info/deploy_ramdisk" + path: "/driver_info/deploy_ramdisk" value: "{{ inspector_rule_var_deploy_ramdisk }}" # Ironic inspector rule to set serial root device hint. @@ -177,14 +179,16 @@ inspector_rule_root_hint_serial: conditions: - args: value: "{node.properties[root_device]}" - regex: "\\{node\\.properties\\[root_device\\]\\}" + regex: "{node\\.properties\\[root_device\\]}" op: "matches" + - args: + value: "{plugin_data[root_disk][serial]}" + op: "!is-empty" actions: - op: "set-attribute" args: - path: "properties/root_device/name" - value: "{plugin_data[root_disk][by_path]}" - + path: "/properties/root_device/serial" + value: "{plugin_data[root_disk][serial]}" # Ironic inspector rule to set the interface on which the node PXE booted. inspector_rule_set_pxe_interface_mac: @@ -192,12 +196,12 @@ inspector_rule_set_pxe_interface_mac: conditions: - args: value: "{plugin_data[boot_interface]}" - regex: "'\\{plugin_data\\[boot_interface\\]\\}'" + regex: "{plugin_data\\[boot_interface\\]}" op: "!matches" actions: - op: "set-attribute" args: - path: "extra/pxe_interface_mac" + path: "/extra/pxe_interface_mac" value: "{plugin_data[boot_interface]}" # Name of network interface to use for LLDP referenced by switch port @@ -255,7 +259,7 @@ inspector_rule_lldp_switch_port_desc_to_name: actions: - op: "set-attribute" args: - path: "name" + path: "/name" value: "{{ _inspector_rule_switch_port_description_path }}" # Ironic inspector rule to save system vendor manufacturer data in the node's @@ -264,17 +268,17 @@ inspector_rule_save_system_vendor_manufacturer: description: "Save system vendor manufacturer data in Ironic node metadata" conditions: - args: - value: "{inventory.system_vendor}" - regex: "\\{inventory\\.system_vendor\\}" + value: "{inventory[system_vendor]}" + regex: "{inventory\\[system_vendor\\]}" op: "!matches" - args: - value: "{inventory.system_vendor.manufacturer}" - regex: "\\{inventory\\.system_vendor\\.manufacturer\\}" + value: "{inventory[system_vendor][manufacturer]}" + regex: "{inventory\\[system_vendor\\]\\[manufacturer\\]}" op: "!matches" actions: - op: "set-attribute" args: - path: "extra/system_vendor/manufacturer" + path: "/extra/system_vendor/manufacturer" value: "{inventory[system_vendor][manufacturer]}" # Ironic inspector rule to save system vendor serial number in the node's @@ -283,17 +287,17 @@ inspector_rule_save_system_vendor_serial_number: description: "Save system vendor serial number in Ironic node metadata" conditions: - args: - value: "{inventory.system_vendor}" - regex: "\\{inventory\\.system_vendor\\}" + value: "{inventory[system_vendor]}" + regex: "{inventory\\[system_vendor\\]}" op: "!matches" - args: - value: "{inventory.system_vendor.serial_number}" - regex: "\\{inventory\\.system_vendor\\.serial_number\\}" + value: "{inventory[system_vendor][serial_number]}" + regex: "{inventory\\[system_vendor\\]\\[serial_number\\]}" op: "!matches" actions: - op: "set-attribute" args: - path: "extra/system_vendor/serial_number" + path: "/extra/system_vendor/serial_number" value: "{inventory[system_vendor][serial_number]}" # Ironic inspector rule to save system vendor product name in the node's @@ -302,17 +306,17 @@ inspector_rule_save_system_vendor_product_name: description: "Save system vendor product name in Ironic node metadata" conditions: - args: - value: "{inventory.system_vendor}" - regex: "\\{inventory\\.system_vendor\\}" + value: "{inventory[system_vendor]}" + regex: "{inventory\\[system_vendor\\]}" op: "!matches" - args: - value: "{inventory.system_vendor.product_name}" - regex: "\\{inventory\\.system_vendor\\.product_name\\}" + value: "{inventory[system_vendor][product_name]}" + regex: "{inventory\\[system_vendor\\]\\[product_name\\]}" op: "!matches" actions: - op: "set-attribute" args: - path: "extra/system_vendor/product_name" + path: "/extra/system_vendor/product_name" value: "{inventory[system_vendor][product_name]}" # Ironic inspector rule to save introspection data to the node. @@ -322,11 +326,11 @@ inspector_rule_save_data: actions: - op: "set-attribute" args: - path: "extra/introspection_data/inventory" + path: "/extra/introspection_data/inventory" value: "{inventory}" - op: "set-attribute" args: - path: "extra/introspection_data/plugin_data" + path: "/extra/introspection_data/plugin_data" value: "{plugin_data}" # Redfish rules @@ -335,22 +339,22 @@ inspector_rule_redfish_credentials: description: "Set Redfish driver_info if no credentials" conditions: - args: - value: "{node.driver_info.redfish_username}" - regex: "\\{node\\.driver_info\\.redfish_username\\}" + value: "{node.driver_info[redfish_username]}" + regex: "{node\\.driver_info\\[redfish_username\\]}" op: "matches" - args: - value: "{node.driver_info.redfish_password}" - regex: "\\{node\\.driver_info\\.redfish_password\\}" + value: "{node.driver_info[redfish_password]}" + regex: "{node\\.driver_info\\[redfish_password\\]}" op: "matches" sensitive: true actions: - op: "set-attribute" args: - path: "driver_info/redfish_username" + path: "/driver_info/redfish_username" value: "{{ inspector_rule_var_redfish_username }}" - op: "set-attribute" args: - path: "driver_info/redfish_password" + path: "/driver_info/redfish_password" value: "{{ inspector_rule_var_redfish_password }}" # Ironic inspector rule to set Redfish address. @@ -358,13 +362,13 @@ inspector_rule_redfish_address: description: "Set Redfish address" conditions: - args: - value: "{node.driver_info.redfish_address}" - regex: "\\{node\\.driver_info\\.redfish_address\\}" + value: "{node.driver_info[redfish_address]}" + regex: "{node\\.driver_info\\[redfish_address\\]}" op: "matches" actions: - op: "set-attribute" args: - path: "driver_info/redfish_address" + path: "/driver_info/redfish_address" value: "{inventory[bmc_address]}" # Ironic inspector rule to set Redfish certificate authority. @@ -372,13 +376,13 @@ inspector_rule_redfish_verify_ca: description: "Set Redfish Verify CA" conditions: - args: - value: "{node.driver_info.redfish_verify_ca}" - regex: "\\{node\\.driver_info\\.redfish_verify_ca\\}" + value: "{node.driver_info[redfish_verify_ca]}" + regex: "{node\\.driver_info\\[redfish_verify_ca\\]}" op: "matches" actions: - op: "set-attribute" args: - path: "driver_info/redfish_verify_ca" + path: "/driver_info/redfish_verify_ca" value: "{{ inspector_rule_var_redfish_verify_ca }}" # List of default ironic inspector rules. @@ -421,4 +425,3 @@ inspector_rules: "{{ inspector_rules_default + inspector_rules_extra + (inspecto # Ansible group containing switch hosts to which the workaround should be # applied. inspector_dell_switch_lldp_workaround_group: - From 2d40dda231f9acf10c5f4d13ea848956d0940cee Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 14 Nov 2025 22:30:27 +0100 Subject: [PATCH 120/187] Fix versions in Ansible bump release note Change-Id: I4c81811ef7c56b9082bc5ffb6064367e2aa12adf Signed-off-by: Pierre Riteau --- releasenotes/notes/bump-ansible-12-536bc4a3ff55dc3b.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/releasenotes/notes/bump-ansible-12-536bc4a3ff55dc3b.yaml b/releasenotes/notes/bump-ansible-12-536bc4a3ff55dc3b.yaml index 5901b6a26..90ee0665e 100644 --- a/releasenotes/notes/bump-ansible-12-536bc4a3ff55dc3b.yaml +++ b/releasenotes/notes/bump-ansible-12-536bc4a3ff55dc3b.yaml @@ -1,6 +1,6 @@ --- upgrade: - | - Updates the maximum supported version of Ansible from 12 (ansible-core - 2.18) to 13 (ansible-core 2.19). The minimum supported version is updated + Updates the maximum supported version of Ansible from 11 (ansible-core + 2.18) to 12 (ansible-core 2.19). The minimum supported version is updated from 10.x to 11.x. This is true for both Kayobe and Kolla Ansible. From 35e8346250b721522b32922237d9340b707e3245 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Mon, 17 Nov 2025 12:06:30 +0100 Subject: [PATCH 121/187] Bump minimum Python version to 3.12 We require ansible>=11 which needs Python >=3.11. Since all our supported distributions have Python 3.12 as default, make this the minimum. Change-Id: I8699acef0e88618f86fe854be170d885fc1ab8c8 Signed-off-by: Pierre Riteau --- .../notes/drop-python310-and-311-b284d9a4d8d91324.yaml | 5 +++++ setup.cfg | 4 +--- 2 files changed, 6 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/drop-python310-and-311-b284d9a4d8d91324.yaml diff --git a/releasenotes/notes/drop-python310-and-311-b284d9a4d8d91324.yaml b/releasenotes/notes/drop-python310-and-311-b284d9a4d8d91324.yaml new file mode 100644 index 000000000..e72c8148a --- /dev/null +++ b/releasenotes/notes/drop-python310-and-311-b284d9a4d8d91324.yaml @@ -0,0 +1,5 @@ +--- +upgrade: + - | + Python 3.10 and 3.11 are no longer supported on the control host. Use + Python 3.12 as a minimum version for the Kayobe virtualenv. diff --git a/setup.cfg b/setup.cfg index 46ea41577..2074f6b29 100644 --- a/setup.cfg +++ b/setup.cfg @@ -6,7 +6,7 @@ description_file = author = OpenStack author_email = openstack-discuss@lists.openstack.org home_page = https://docs.openstack.org/kayobe/latest/ -python_requires = >=3.10 +python_requires = >=3.12 license = Apache License, Version 2.0 classifier = Environment :: OpenStack @@ -18,8 +18,6 @@ classifier = Programming Language :: Python :: Implementation :: CPython Programming Language :: Python :: 3 :: Only Programming Language :: Python :: 3 - Programming Language :: Python :: 3.10 - Programming Language :: Python :: 3.11 Programming Language :: Python :: 3.12 [files] From 0608b48d1d83f4eb1c699480b12f7d5f460332a5 Mon Sep 17 00:00:00 2001 From: John Garbutt Date: Mon, 8 Sep 2025 17:36:54 +0100 Subject: [PATCH 122/187] Move nvidia.nvue to 1.2.9 for cumulus 5.13 Changed switch config started creating errors on cumulus 5.13 onwards. Bumping the collection version to bring in this fix: https://gitlab.com/nvidia-networking/systems-engineering/nvue/-/commit/adfc6829ee0fadbcd5273a7635f26d6a79b44eab Change-Id: Ib92ae8807a5f22090d3025ff93d279004e686870 Closes-Bug: #2131677 Signed-off-by: John Garbutt --- .../notes/fixes-cumulus-5.13-74e0d08675404f46.yaml | 7 +++++++ requirements.yml | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/fixes-cumulus-5.13-74e0d08675404f46.yaml diff --git a/releasenotes/notes/fixes-cumulus-5.13-74e0d08675404f46.yaml b/releasenotes/notes/fixes-cumulus-5.13-74e0d08675404f46.yaml new file mode 100644 index 000000000..34401e5cf --- /dev/null +++ b/releasenotes/notes/fixes-cumulus-5.13-74e0d08675404f46.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + Bumps version of ``nvidia.nvue`` Ansible collection from ``1.2.6`` to + ``1.2.9``. This fixes an issue where switch configuration could not be + applied to switches running Cumulus Linux 5.13. See `LP#2131677 + `__ for more details. diff --git a/requirements.yml b/requirements.yml index 5b08a56bc..300f6ea5a 100644 --- a/requirements.yml +++ b/requirements.yml @@ -14,7 +14,7 @@ collections: - name: dellemc.os10 version: 1.2.7 - name: nvidia.nvue - version: 1.2.6 + version: 1.2.9 - name: openstack.cloud version: '<3' - name: stackhpc.linux From 9a854177bd098121e91a4a0c6f994c6b50270ed8 Mon Sep 17 00:00:00 2001 From: OpenStack Release Bot Date: Tue, 18 Nov 2025 09:46:45 +0000 Subject: [PATCH 123/187] Update master for stable/2025.2 Add file to the reno documentation build to show release notes for stable/2025.2. Use pbr instruction to increment the minor version number automatically so that master versions are higher than the versions on stable/2025.2. Sem-Ver: feature Change-Id: I5af09b2392f738f853e8eca2e3a56bdc2ac7b6f7 Signed-off-by: OpenStack Release Bot Generated-By: openstack/project-config:roles/copy-release-tools-scripts/files/release-tools/add_release_note_page.sh --- releasenotes/source/2025.2.rst | 6 ++++++ releasenotes/source/index.rst | 1 + 2 files changed, 7 insertions(+) create mode 100644 releasenotes/source/2025.2.rst diff --git a/releasenotes/source/2025.2.rst b/releasenotes/source/2025.2.rst new file mode 100644 index 000000000..4dae18d86 --- /dev/null +++ b/releasenotes/source/2025.2.rst @@ -0,0 +1,6 @@ +=========================== +2025.2 Series Release Notes +=========================== + +.. release-notes:: + :branch: stable/2025.2 diff --git a/releasenotes/source/index.rst b/releasenotes/source/index.rst index 4a413860a..6cd206129 100644 --- a/releasenotes/source/index.rst +++ b/releasenotes/source/index.rst @@ -6,6 +6,7 @@ Kayobe Release Notes :maxdepth: 1 unreleased + 2025.2 2025.1 2024.2 2024.1 From 67d0bb0cbef29ce3f039b5a35a6091c3f26edeee Mon Sep 17 00:00:00 2001 From: OpenStack Release Bot Date: Mon, 24 Nov 2025 16:14:04 +0000 Subject: [PATCH 124/187] reno: Update master for unmaintained/2024.1 Update the 2024.1 release notes configuration to build from unmaintained/2024.1. Change-Id: I0fa9799895a3721e41da724fb495d44bf19aa476 Signed-off-by: OpenStack Release Bot Generated-By: openstack/project-config:roles/copy-release-tools-scripts/files/release-tools/change_reno_branch_to_unmaintained.sh --- releasenotes/source/2024.1.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/releasenotes/source/2024.1.rst b/releasenotes/source/2024.1.rst index 4977a4f1a..6896656be 100644 --- a/releasenotes/source/2024.1.rst +++ b/releasenotes/source/2024.1.rst @@ -3,4 +3,4 @@ =========================== .. release-notes:: - :branch: stable/2024.1 + :branch: unmaintained/2024.1 From 2858b253b147c6198b112c3437ac23bb364d6192 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Tue, 25 Nov 2025 14:44:17 +0100 Subject: [PATCH 125/187] Document moving releases to unmaintained and EOL Change-Id: I025725820e44bb16b1a51e959b55602a30738226 Signed-off-by: Pierre Riteau --- doc/source/contributor/releases.rst | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/doc/source/contributor/releases.rst b/doc/source/contributor/releases.rst index b0d17aba6..a95a93599 100644 --- a/doc/source/contributor/releases.rst +++ b/doc/source/contributor/releases.rst @@ -242,3 +242,21 @@ Stable Releases Stable branch releases should be made periodically for each supported stable branch, no less than once every 45 days. + +Transitioning to Unmaintained +============================= + +When an OpenStack release transitions to `Unmaintained +`__, +all references to ``stable/`` need to be changed to +``unmaintained/``. This change needs to be made on the new +unmaintained branch. For example, see +https://review.opendev.org/c/openstack/kayobe/+/968298. + +Transitioning to End of Life (EOL) +================================== + +When an OpenStack release transitions to `End of Life (EOL) +`__, +upgrade jobs in later releases need to be removed. For example, see +https://review.opendev.org/c/openstack/kayobe/+/968296. From 03c849c6cab0045a78257eb37db95c75cc1c42c2 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Mon, 15 Sep 2025 17:27:46 +0000 Subject: [PATCH 126/187] Test bare metal node inspection Adds a test to inspect a node in the baremetal-compute inventory group. We also print all of the inspection rules and collect the inspection data for debugging purposes. Change-Id: I9d9233ea576e5cf7ce4f51db12817af00400a1cb Signed-off-by: Will Szumski --- dev/functions | 41 ++++++++++++++++++++ dev/overcloud-test-inspect.sh | 16 ++++++++ playbooks/kayobe-overcloud-base/baremetal.j2 | 2 + playbooks/kayobe-overcloud-base/run.yml | 6 +++ roles/kayobe-diagnostics/files/get_logs.sh | 5 +++ 5 files changed, 70 insertions(+) create mode 100755 dev/overcloud-test-inspect.sh diff --git a/dev/functions b/dev/functions index 907151f10..000370eb6 100644 --- a/dev/functions +++ b/dev/functions @@ -618,6 +618,47 @@ function overcloud_test_bounce_interface { run_kayobe overcloud host configure -t network } +function overcloud_inspection_rule_dump { + echo "Listing inspection rules ..." + openstack baremetal inspection rule list + echo "Dumping inspection rules ..." + openstack baremetal inspection rule list -c UUID -f value | xargs -L 1 openstack baremetal inspection rule show +} + +function overcloud_test_inspect { + set -eu + node=$1 + + environment_setup + + source "${KOLLA_CONFIG_PATH:-/etc/kolla}/admin-openrc-system.sh" + + overcloud_inspection_rule_dump + + echo "Baremetal node: $node before inspection" + openstack baremetal node show "$node" + + # NOTE(wszumski): Switch to using kayobe playbooks to manage and inspect + # when we switch to node registration + + if [ "$(openstack baremetal node show -c provision_state -f value $node)" != "manageable" ]; then + openstack baremetal node manage "$node" --wait + fi + + # Run inspection + openstack baremetal node inspect "$node" --wait + + echo "Baremetal node: $node after inspection" + openstack baremetal node show $node + openstack baremetal node inventory save $node + + # Use Kayobe to save introspection data + run_kayobe baremetal compute introspection data save --limit "baremetal-compute,controllers[0]" --output-dir /tmp/baremetal-compute-inspection-data + + # Move back to available + openstack baremetal node provide "$node" --wait +} + function overcloud_test { set -eu diff --git a/dev/overcloud-test-inspect.sh b/dev/overcloud-test-inspect.sh new file mode 100755 index 000000000..ea6aec667 --- /dev/null +++ b/dev/overcloud-test-inspect.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +set -eu +set -o pipefail + +PARENT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + +source "${PARENT}/functions" + + +function main { + config_init + overcloud_test_inspect tk0 +} + +main diff --git a/playbooks/kayobe-overcloud-base/baremetal.j2 b/playbooks/kayobe-overcloud-base/baremetal.j2 index 013468258..47920424d 100644 --- a/playbooks/kayobe-overcloud-base/baremetal.j2 +++ b/playbooks/kayobe-overcloud-base/baremetal.j2 @@ -1,2 +1,4 @@ [baremetal-compute] hv100 +tk0 +tk1 diff --git a/playbooks/kayobe-overcloud-base/run.yml b/playbooks/kayobe-overcloud-base/run.yml index 76ecd8af6..2f5d01acc 100644 --- a/playbooks/kayobe-overcloud-base/run.yml +++ b/playbooks/kayobe-overcloud-base/run.yml @@ -36,6 +36,12 @@ chdir: "{{ kayobe_src_dir }}" executable: /bin/bash + - name: Test inspection of the baremetal machines + shell: + cmd: dev/overcloud-test-inspect.sh &> {{ logs_dir }}/ansible/overcloud-test-inspect + chdir: "{{ kayobe_src_dir }}" + executable: /bin/bash + - name: Perform testing of the baremetal machines shell: cmd: dev/overcloud-test-baremetal.sh &> {{ logs_dir }}/ansible/overcloud-test-baremetal diff --git a/roles/kayobe-diagnostics/files/get_logs.sh b/roles/kayobe-diagnostics/files/get_logs.sh index 2b2b54964..cc880b9d6 100644 --- a/roles/kayobe-diagnostics/files/get_logs.sh +++ b/roles/kayobe-diagnostics/files/get_logs.sh @@ -151,6 +151,11 @@ copy_logs() { cp /opt/kayobe/images/deployment_image/deployment_image.stderr /opt/kayobe/images/deployment_image/deployment_image.stdout ${LOG_DIR}/kayobe/ fi + # Baremetal inspection data + if [ -d "/tmp/baremetal-compute-inspection-data" ]; then + cp -rf /tmp/baremetal-compute-inspection-data ${LOG_DIR} + fi + # Rename files to .txt; this is so that when displayed via # logs.openstack.org clicking results in the browser shows the # files, rather than trying to send it to another app or make you From 645a3074063f9df8c958c2b241d62b3fa4aef9ea Mon Sep 17 00:00:00 2001 From: Maksim Malchuk Date: Thu, 27 Nov 2025 00:01:16 +0300 Subject: [PATCH 127/187] Fix typo of the task name TrivialFix Change-Id: I066ef977825df4c4c34fcdc92523794656ece0d7 Signed-off-by: Maksim Malchuk --- ansible/kayobe-target-venv.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/kayobe-target-venv.yml b/ansible/kayobe-target-venv.yml index 9e782bdee..11d7a8938 100644 --- a/ansible/kayobe-target-venv.yml +++ b/ansible/kayobe-target-venv.yml @@ -119,7 +119,7 @@ become: True when: kayobe_virtualenv is not defined - - name: Ensure kolla-ansible virtualenv has docker SDK for python installed + - name: Ensure kayobe virtualenv has docker SDK for python installed pip: name: docker state: latest From c59e26189f8eb94c55f46aab30208204d0d5bbd0 Mon Sep 17 00:00:00 2001 From: Bartosz Bezak Date: Wed, 26 Nov 2025 18:43:11 +0100 Subject: [PATCH 128/187] Handle empty remote_hosts in kayobe connectivity check Closes-Bug: #2133047 Change-Id: Ibecc0302a2a9620ef5c2bc93b73cb1a6ad71b4c9 Signed-off-by: Bartosz Bezak --- ansible/network-connectivity.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/network-connectivity.yml b/ansible/network-connectivity.yml index 2d8d2ccdd..3e0238d8c 100644 --- a/ansible/network-connectivity.yml +++ b/ansible/network-connectivity.yml @@ -69,7 +69,7 @@ ping {{ remote_ip }} -c1 -M do {% if mtu %} -s {{ mtu | int - icmp_overhead_bytes }}{% endif %} with_items: "{{ network_interfaces }}" loop_control: - label: "{{ remote_host }} on {{ item }}" + label: "{{ remote_host | default('none', true) }} on {{ item }}" when: - remote_hosts | length > 0 - remote_ip | length > 0 @@ -90,6 +90,6 @@ # when check: remote_ip | length > 0, would pass, but remote_ip was '' # in the command. Assumption was that this was being evaluated once # for the when clause and then again for the command. Bug? - remote_host: "{{ remote_hosts | random(seed=ansible_facts.date_time.iso8601) }}" + remote_host: "{{ remote_hosts | random(seed=ansible_facts.date_time.iso8601) if remote_hosts | length > 0 else '' }}" remote_ip: "{{ lookup('cached', 'vars', item ~ '_ips', default={})[remote_host] | default('', true) }}" mtu: "{{ item | net_mtu }}" From fe86f0af7d5bc835cd139006a59c4e6c3b63b50f Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 28 Nov 2025 09:05:23 +0100 Subject: [PATCH 129/187] CI: Skip baremetal inspect for UEFI boot mode The kayobe-overcloud-tls-rocky10 job is frequently failing with: Node tk0 failed to reach state manageable. It's in state inspect failed, and has error: timeout reached while inspecting the node This happens when ironic_boot_mode is set to uefi. Skip baremetal inspect for UEFI boot mode until the issue is fixed. Change-Id: Icb74fd51735ee0f45fb7d4109f214bfbb7f50057 Signed-off-by: Pierre Riteau --- playbooks/kayobe-overcloud-base/run.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/playbooks/kayobe-overcloud-base/run.yml b/playbooks/kayobe-overcloud-base/run.yml index 2f5d01acc..e5c617bc8 100644 --- a/playbooks/kayobe-overcloud-base/run.yml +++ b/playbooks/kayobe-overcloud-base/run.yml @@ -41,6 +41,8 @@ cmd: dev/overcloud-test-inspect.sh &> {{ logs_dir }}/ansible/overcloud-test-inspect chdir: "{{ kayobe_src_dir }}" executable: /bin/bash + # TODO(priteau): Fix baremetal inspect issues with UEFI + when: ironic_boot_mode == 'bios' - name: Perform testing of the baremetal machines shell: From 6194b950053c37295213323c95fc7220466367f3 Mon Sep 17 00:00:00 2001 From: Bartosz Bezak Date: Wed, 26 Nov 2025 14:36:51 +0100 Subject: [PATCH 130/187] Bifrost: Add inspector_keep_ports option Default value stays `present` to match Bifrost (overcloud ironic default remains `added`). Change-Id: Iffc8de818e80ee42f5946e2ef04b997d8a9a2f67 Signed-off-by: Bartosz Bezak --- ansible/inventory/group_vars/all/bifrost | 4 ++++ ansible/roles/kolla-bifrost/defaults/main.yml | 3 +++ .../templates/kolla/config/bifrost/bifrost.yml | 5 +++++ doc/source/configuration/reference/bifrost.rst | 3 +++ etc/kayobe/bifrost.yml | 4 ++++ releasenotes/notes/bifrost-keep-ports-5f2e583a201645b9.yaml | 6 ++++++ 6 files changed, 25 insertions(+) create mode 100644 releasenotes/notes/bifrost-keep-ports-5f2e583a201645b9.yaml diff --git a/ansible/inventory/group_vars/all/bifrost b/ansible/inventory/group_vars/all/bifrost index fc02cf5a0..f307c4118 100644 --- a/ansible/inventory/group_vars/all/bifrost +++ b/ansible/inventory/group_vars/all/bifrost @@ -96,6 +96,10 @@ kolla_bifrost_inspector_hooks: "{{ inspector_hooks }}" # 'active' or 'pxe'. kolla_bifrost_inspector_port_addition: "{{ inspector_add_ports }}" +# Which ports to keep after introspection. One of 'all', 'present', or 'added'. +# Default follows Bifrost's default of 'present'. +kolla_bifrost_inspector_keep_ports: "present" + # List of extra kernel parameters for the inspector default PXE configuration. # Default is {{ inspector_extra_kernel_options }}, defined in inspector.yml. # When customising this variable, the default extra kernel parameters should be diff --git a/ansible/roles/kolla-bifrost/defaults/main.yml b/ansible/roles/kolla-bifrost/defaults/main.yml index eff98ea8f..2ab957d03 100644 --- a/ansible/roles/kolla-bifrost/defaults/main.yml +++ b/ansible/roles/kolla-bifrost/defaults/main.yml @@ -48,6 +48,9 @@ kolla_bifrost_inspector_hooks: # 'active' or 'pxe'. kolla_bifrost_inspector_port_addition: +# Which ports to keep after introspection. One of 'all', 'present', or 'added'. +kolla_bifrost_inspector_keep_ports: + # List of extra kernel parameters for the inspector default PXE configuration. kolla_bifrost_inspector_extra_kernel_options: diff --git a/ansible/roles/kolla-bifrost/templates/kolla/config/bifrost/bifrost.yml b/ansible/roles/kolla-bifrost/templates/kolla/config/bifrost/bifrost.yml index e1e671b67..712bed6de 100644 --- a/ansible/roles/kolla-bifrost/templates/kolla/config/bifrost/bifrost.yml +++ b/ansible/roles/kolla-bifrost/templates/kolla/config/bifrost/bifrost.yml @@ -39,6 +39,11 @@ inspector_hooks: "{{ kolla_bifrost_inspector_hooks | join(',') }}" inspector_port_addition: "{{ kolla_bifrost_inspector_port_addition }}" {% endif %} +{% if kolla_bifrost_inspector_keep_ports %} +# Which ports to keep after introspection. One of 'all', 'present', or 'added'. +inspector_keep_ports: "{{ kolla_bifrost_inspector_keep_ports }}" +{% endif %} + {% if kolla_bifrost_inspector_extra_kernel_options %} # Extra kernel parameters for the inspector default PXE configuration. inspector_extra_kernel_options: "{{ kolla_bifrost_inspector_extra_kernel_options if kolla_bifrost_inspector_extra_kernel_options is string else kolla_bifrost_inspector_extra_kernel_options | join(' ') }}" diff --git a/doc/source/configuration/reference/bifrost.rst b/doc/source/configuration/reference/bifrost.rst index cbd3e738e..62ab636be 100644 --- a/doc/source/configuration/reference/bifrost.rst +++ b/doc/source/configuration/reference/bifrost.rst @@ -276,6 +276,9 @@ The following options configure the Ironic Inspector service in the Which MAC addresses to add as ports during introspection. One of ``all``, ``active`` or ``pxe``. Default is ``{{ inspector_add_ports }}``, defined in ``${KAYOBE_CONFIG_PATH}/inspector.yml``. +``kolla_bifrost_inspector_keep_ports`` + Which ports to keep after introspection. One of ``all``, ``present`` or + ``added``. Default is ``present`` to align with Bifrost's defaults. ``kolla_bifrost_inspector_extra_kernel_options`` List of extra kernel parameters for the inspector default PXE configuration. Default is ``{{ inspector_extra_kernel_options }}``, defined diff --git a/etc/kayobe/bifrost.yml b/etc/kayobe/bifrost.yml index 4150e6600..d65c9d27d 100644 --- a/etc/kayobe/bifrost.yml +++ b/etc/kayobe/bifrost.yml @@ -96,6 +96,10 @@ # 'active' or 'pxe'. #kolla_bifrost_inspector_port_addition: +# Which ports to keep after introspection. One of 'all', 'present', or 'added'. +# Default follows Bifrost's default of 'present'. +#kolla_bifrost_inspector_keep_ports: + # List of extra kernel parameters for the inspector default PXE configuration. # Default is {{ inspector_extra_kernel_options }}, defined in inspector.yml. # When customising this variable, the default extra kernel parameters should be diff --git a/releasenotes/notes/bifrost-keep-ports-5f2e583a201645b9.yaml b/releasenotes/notes/bifrost-keep-ports-5f2e583a201645b9.yaml new file mode 100644 index 000000000..9041d79a4 --- /dev/null +++ b/releasenotes/notes/bifrost-keep-ports-5f2e583a201645b9.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Allows configuring ``inspector_keep_ports`` for Bifrost via + ``kolla_bifrost_inspector_keep_ports`` (defaults to ``present`` to match + Bifrost). From fa13678912cf57ff275768379a4af4e6d775f10d Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Mon, 1 Dec 2025 10:13:26 +0100 Subject: [PATCH 131/187] Fix Bifrost host variable file generation In deployments without an IPv4 gateway defined, for example when behind a proxy, Bifrost host variable file generation was failing. Fix by allowing ipv4_gateway to be set to an empty string, which is supported in Bifrost. Closes-Bug: #2133489 Change-Id: I988810541b4620ac196d216bf54896a774282fdd Signed-off-by: Pierre Riteau --- ansible/kolla-bifrost-hostvars.yml | 2 +- releasenotes/notes/bug-2133489-1b83b7e24655caff.yaml | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/bug-2133489-1b83b7e24655caff.yaml diff --git a/ansible/kolla-bifrost-hostvars.yml b/ansible/kolla-bifrost-hostvars.yml index ebe13ceb0..21e1849c4 100644 --- a/ansible/kolla-bifrost-hostvars.yml +++ b/ansible/kolla-bifrost-hostvars.yml @@ -26,7 +26,7 @@ # If the admin network does not have a gateway defined and seed SNAT is # enabled, use the seed as a gateway to allow external access until other # networks have been configured. Otherwise, do not set any gateway. - ipv4_gateway: "{{ (admin_oc_net_name | net_gateway) or (admin_oc_net_name | net_ip(seed_host) if seed_enable_snat | bool) }}" + ipv4_gateway: "{{ (admin_oc_net_name | net_gateway) or (admin_oc_net_name | net_ip(seed_host) if seed_enable_snat | bool) or '' }}" ipv4_nameserver: "{{ resolv_nameservers }}" network_mtu: "{{ admin_oc_net_name | net_mtu or '1500' }}" vlan_id: "{{ '' if admin_oc_net_name == provision_oc_net_name else (admin_oc_net_name | net_vlan) }}" diff --git a/releasenotes/notes/bug-2133489-1b83b7e24655caff.yaml b/releasenotes/notes/bug-2133489-1b83b7e24655caff.yaml new file mode 100644 index 000000000..3173fb921 --- /dev/null +++ b/releasenotes/notes/bug-2133489-1b83b7e24655caff.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fixes generation of Bifrost host variable files when ``ipv4_gateway`` is + undefined. `LP#2133489 `__ From 88f30f24ad40c3dff5e02030931755c5c99e863b Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 4 Dec 2025 11:42:16 +0100 Subject: [PATCH 132/187] CI: Stop using infra cache servers as registry We are seeing frequent CI job failures due to timeouts while fetching container images. See similar change in kolla-ansible [1]. Also remove the kolla_docker_namespace variable from CI overrides: "openstack.kolla" has been the default value since 2021 [2]. [1] https://review.opendev.org/c/openstack/kolla-ansible/+/967159 [2] https://review.opendev.org/c/openstack/kayobe/+/812947 Change-Id: I27ba36000d4f5842f27fc49230314fd54e434dcb Signed-off-by: Pierre Riteau --- playbooks/kayobe-overcloud-base/overrides.yml.j2 | 3 --- playbooks/kayobe-overcloud-upgrade-base/overrides.yml.j2 | 3 --- playbooks/kayobe-seed-base/overrides.yml.j2 | 3 --- playbooks/kayobe-seed-upgrade-base/overrides.yml.j2 | 3 --- 4 files changed, 12 deletions(-) diff --git a/playbooks/kayobe-overcloud-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-base/overrides.yml.j2 index 8f1a2bbec..16f94d9c2 100644 --- a/playbooks/kayobe-overcloud-base/overrides.yml.j2 +++ b/playbooks/kayobe-overcloud-base/overrides.yml.j2 @@ -4,9 +4,6 @@ docker_daemon_debug: true docker_registry_mirrors: - "http://{{ zuul_site_mirror_fqdn }}:8082/" -kolla_docker_namespace: "openstack.kolla" -# use the published images from a site mirror of quay.io -kolla_docker_registry: "{{ zuul_site_mirror_fqdn }}:4447" kolla_source_url: "{{ ansible_env.PWD ~ '/' ~ zuul.projects['opendev.org/openstack/kolla'].src_dir }}" kolla_source_version: "{{ zuul.projects['opendev.org/openstack/kolla'].checkout }}" kolla_ansible_source_url: "{{ ansible_env.PWD ~ '/' ~ zuul.projects['opendev.org/openstack/kolla-ansible'].src_dir }}" diff --git a/playbooks/kayobe-overcloud-upgrade-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-upgrade-base/overrides.yml.j2 index 1170a5ed9..dc8fdb04f 100644 --- a/playbooks/kayobe-overcloud-upgrade-base/overrides.yml.j2 +++ b/playbooks/kayobe-overcloud-upgrade-base/overrides.yml.j2 @@ -4,9 +4,6 @@ docker_daemon_debug: true docker_registry_mirrors: - "http://{{ zuul_site_mirror_fqdn }}:8082/" -kolla_docker_namespace: "openstack.kolla" -# use the published images from a site mirror of quay.io -kolla_docker_registry: "{{ zuul_site_mirror_fqdn }}:4447" {% if not is_previous_release | default(false) %} kolla_source_url: "{{ ansible_env.PWD ~ '/' ~ zuul.projects['opendev.org/openstack/kolla'].src_dir }}" kolla_source_version: "{{ zuul.projects['opendev.org/openstack/kolla'].checkout }}" diff --git a/playbooks/kayobe-seed-base/overrides.yml.j2 b/playbooks/kayobe-seed-base/overrides.yml.j2 index 8f4987390..9cfad25f8 100644 --- a/playbooks/kayobe-seed-base/overrides.yml.j2 +++ b/playbooks/kayobe-seed-base/overrides.yml.j2 @@ -15,9 +15,6 @@ docker_registry_image_full: "quay.io/libpod/registry:2.8.2" docker_registry_mirrors: - "http://{{ zuul_site_mirror_fqdn }}:8082/" -kolla_docker_namespace: "openstack.kolla" -# use the published images from a site mirror of quay.io -kolla_docker_registry: "{{ zuul_site_mirror_fqdn }}:4447" # NOTE(mgoddard): The kolla repository is copied to /tmp/kolla and made # readable by the stack user. kolla_source_url: "/tmp/kolla" diff --git a/playbooks/kayobe-seed-upgrade-base/overrides.yml.j2 b/playbooks/kayobe-seed-upgrade-base/overrides.yml.j2 index 49d493862..11797e695 100644 --- a/playbooks/kayobe-seed-upgrade-base/overrides.yml.j2 +++ b/playbooks/kayobe-seed-upgrade-base/overrides.yml.j2 @@ -6,9 +6,6 @@ docker_registry_image_full: "quay.io/libpod/registry:2.8.2" docker_registry_mirrors: - "http://{{ zuul_site_mirror_fqdn }}:8082/" -kolla_docker_namespace: "openstack.kolla" -# use the published images from a site mirror of quay.io -kolla_docker_registry: "{{ zuul_site_mirror_fqdn }}:4447" {% if not is_previous_release | default(false) %} kolla_source_url: "{{ ansible_env.PWD ~ '/' ~ zuul.projects['opendev.org/openstack/kolla'].src_dir }}" kolla_source_version: "{{ zuul.projects['opendev.org/openstack/kolla'].checkout }}" From ec066451766f43873081b6f1120791ddfe05ef09 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 5 Dec 2025 09:03:35 +0100 Subject: [PATCH 133/187] Revert "[release] Use OpenStack 2025.2 release" This reverts commit 237e8b07e046b1736f74f648e4c489644e4aad3c. Reason for revert: 2025.2 has been branched and released Change-Id: I36e92d7f4eea44b7f0b1606e9f09a2e6fd6210f3 Signed-off-by: Pierre Riteau --- ansible/inventory/group_vars/all/openstack | 6 +++--- etc/kayobe/openstack.yml | 4 ++-- requirements.yml | 2 +- tox.ini | 10 +++++----- zuul.d/jobs.yaml | 8 -------- 5 files changed, 11 insertions(+), 19 deletions(-) diff --git a/ansible/inventory/group_vars/all/openstack b/ansible/inventory/group_vars/all/openstack index a62a39a31..430293d3f 100644 --- a/ansible/inventory/group_vars/all/openstack +++ b/ansible/inventory/group_vars/all/openstack @@ -2,10 +2,10 @@ ############################################################################### # OpenStack release configuration. -# Name of the current OpenStack release. Default is "2025.2". -openstack_release: "2025.2" +# Name of the current OpenStack release. Default is "master". +openstack_release: "master" -# Name of the current OpenStack branch. Default is "stable/2025.2". +# Name of the current OpenStack branch. Default is "master". openstack_branch: >- {% if openstack_release != 'master' %}stable/{% endif %}{{ openstack_release | lower }} diff --git a/etc/kayobe/openstack.yml b/etc/kayobe/openstack.yml index d58a145fe..1acfd0756 100644 --- a/etc/kayobe/openstack.yml +++ b/etc/kayobe/openstack.yml @@ -2,10 +2,10 @@ ############################################################################### # OpenStack release configuration. -# Name of the current OpenStack release. Default is "2025.2". +# Name of the current OpenStack release. Default is "master". #openstack_release: -# Name of the current OpenStack branch. Default is "stable/2025.2". +# Name of the current OpenStack branch. Default is "master". #openstack_branch: ############################################################################### diff --git a/requirements.yml b/requirements.yml index 300f6ea5a..a52a64662 100644 --- a/requirements.yml +++ b/requirements.yml @@ -2,7 +2,7 @@ collections: - name: https://opendev.org/openstack/ansible-collection-kolla type: git - version: stable/2025.2 + version: master - name: community.docker version: 3.11.0 - name: community.network diff --git a/tox.ini b/tox.ini index c15275dcf..a8ea73ca1 100644 --- a/tox.ini +++ b/tox.ini @@ -19,7 +19,7 @@ setenv = OS_TEST_TIMEOUT=60 ANSIBLE_VERBOSITY=3 deps = - -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/2025.2} + -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} -r{toxinidir}/requirements.txt -r{toxinidir}/test-requirements.txt commands = stestr run {posargs} @@ -27,7 +27,7 @@ commands = stestr run {posargs} [testenv:pep8] # sphinx8 needs the sphinx package which is required via doc/requirements.txt deps = - -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/2025.2} + -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} -r{toxinidir}/requirements.txt -r{toxinidir}/doc/requirements.txt -r{toxinidir}/test-requirements.txt @@ -42,7 +42,7 @@ commands = [testenv:venv] deps = - -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/2025.2} + -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} -r{toxinidir}/test-requirements.txt -r{toxinidir}/doc/requirements.txt commands = {posargs} @@ -60,7 +60,7 @@ commands = [testenv:molecule] deps = - -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/2025.2} + -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} -r{toxinidir}/requirements.txt -r{toxinidir}/molecule-requirements.txt commands = @@ -131,7 +131,7 @@ commands = [testenv:docs] deps = - -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/2025.2} + -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} -r{toxinidir}/doc/requirements.txt commands = rm -rf doc/build/html diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index 61b2bd44a..2af930cf3 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -71,19 +71,11 @@ required-projects: # Include kayobe to ensure other projects can use this job. - name: openstack/ansible-collection-kolla - # TODO(priteau): Remove when kayobe stable/2025.2 exists. - override-checkout: stable/2025.2 - name: openstack/kayobe - name: openstack/kayobe-config-dev - name: openstack/kolla - # TODO(priteau): Remove when kayobe stable/2025.2 exists. - override-checkout: stable/2025.2 - name: openstack/kolla-ansible - # TODO(priteau): Remove when kayobe stable/2025.2 exists. - override-checkout: stable/2025.2 - name: openstack/requirements - # TODO(priteau): Remove when kayobe stable/2025.2 exists. - override-checkout: stable/2025.2 - name: openstack/tenks irrelevant-files: - ^\..+ From 390d9663e2913587041a2118bfa3fce03a3fd3f8 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Sat, 6 Dec 2025 10:04:01 +0100 Subject: [PATCH 134/187] Document another change when moving to unmaintained Change-Id: Ie3743e0b54c32a8cbc7995f4b5c3e59b4f01d96b Signed-off-by: Pierre Riteau --- doc/source/contributor/releases.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/source/contributor/releases.rst b/doc/source/contributor/releases.rst index a95a93599..b54ee295a 100644 --- a/doc/source/contributor/releases.rst +++ b/doc/source/contributor/releases.rst @@ -253,6 +253,12 @@ all references to ``stable/`` need to be changed to unmaintained branch. For example, see https://review.opendev.org/c/openstack/kayobe/+/968298. +More recent releases which include upgrade jobs from the unmaintained release +should update their CI configuration to use the +``unmaintained/`` branch. For example, see +https://review.opendev.org/c/openstack/kayobe/+/969411 and +https://review.opendev.org/c/openstack/kayobe/+/970016. + Transitioning to End of Life (EOL) ================================== From 3c2cf92507ca0a493d1454b34dcc47f2673f830b Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Tue, 9 Dec 2025 21:52:23 +0100 Subject: [PATCH 135/187] CI: Ensure firewalld is unmasked Recent nodepool images are masking the firewalld service [1], but we need it for host configure jobs. [1] https://review.opendev.org/c/opendev/zuul-providers/+/967962 Change-Id: Ic72f2e3a262d6491da8bc39de19e23c3acbedf89 Signed-off-by: Pierre Riteau --- playbooks/kayobe-overcloud-host-configure-base/pre.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/playbooks/kayobe-overcloud-host-configure-base/pre.yml b/playbooks/kayobe-overcloud-host-configure-base/pre.yml index a0bfb9252..d564c45a8 100644 --- a/playbooks/kayobe-overcloud-host-configure-base/pre.yml +++ b/playbooks/kayobe-overcloud-host-configure-base/pre.yml @@ -43,3 +43,9 @@ become: true loop: "{{ range(2, 8) | list }}" when: ansible_facts.os_family == 'Debian' + + - name: Ensure firewalld is unmasked + ansible.builtin.systemd_service: + name: firewalld + masked: false + become: true From ec5c5e6b6cdba9644c3486d4fdee5053801cf3f9 Mon Sep 17 00:00:00 2001 From: Thomas Sell Date: Sat, 8 Nov 2025 17:29:33 +0100 Subject: [PATCH 136/187] Add configuration for Ironic introspection DNS servers Closes-Bug: #2130947 Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/966023 Change-Id: Ie5ea55953eb1c0cc04a2d387bf99bd542da396eb Signed-off-by: Thomas Sell --- ansible/kolla-ansible.yml | 1 + ansible/roles/kolla-ansible/defaults/main.yml | 3 +++ ansible/roles/kolla-ansible/templates/kolla/globals.yml | 3 +++ doc/source/configuration/reference/network.rst | 9 +++++++-- kayobe/plugins/filter/networks.py | 7 +++++++ .../notes/dns-config-ironic-dhcp-967a99a01005a6bc.yaml | 5 +++++ 6 files changed, 26 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/dns-config-ironic-dhcp-967a99a01005a6bc.yaml diff --git a/ansible/kolla-ansible.yml b/ansible/kolla-ansible.yml index 55b79c530..34ae1ac87 100644 --- a/ansible/kolla-ansible.yml +++ b/ansible/kolla-ansible.yml @@ -99,6 +99,7 @@ kolla_inspector_dhcp_pool_end: "{{ inspection_net_name | net_inspection_allocation_pool_end }}" kolla_inspector_netmask: "{{ inspection_net_name | net_mask }}" kolla_inspector_default_gateway: "{{ inspection_net_name | net_inspection_gateway or inspection_net_name | net_gateway }}" + kolla_inspector_dns_servers: "{{ inspection_net_name | net_inspection_dns_servers }}" kolla_inspector_extra_kernel_options: "{{ inspector_extra_kernel_options }}" kolla_libvirt_tls: "{{ compute_libvirt_enable_tls | bool }}" kolla_globals_paths_static: diff --git a/ansible/roles/kolla-ansible/defaults/main.yml b/ansible/roles/kolla-ansible/defaults/main.yml index 9ea9849c0..f95225b74 100644 --- a/ansible/roles/kolla-ansible/defaults/main.yml +++ b/ansible/roles/kolla-ansible/defaults/main.yml @@ -200,6 +200,9 @@ kolla_inspector_netmask: # Default gateway to use for inspection network. kolla_inspector_default_gateway: +# DNS servers for inspection network. +kolla_inspector_dns_servers: [] + # List of extra kernel parameters for the inspector default PXE configuration. kolla_inspector_extra_kernel_options: [] diff --git a/ansible/roles/kolla-ansible/templates/kolla/globals.yml b/ansible/roles/kolla-ansible/templates/kolla/globals.yml index a1a01451d..2fbe8e40a 100644 --- a/ansible/roles/kolla-ansible/templates/kolla/globals.yml +++ b/ansible/roles/kolla-ansible/templates/kolla/globals.yml @@ -401,6 +401,9 @@ ironic_dnsmasq_dhcp_ranges: {% if kolla_inspector_default_gateway %} routers: "{{ kolla_inspector_default_gateway }}" {% endif %} +{% if kolla_inspector_dns_servers %} + dns_servers: "{{ kolla_inspector_dns_servers | join(',') }}" +{% endif %} {% endif %} {% if kolla_inspector_extra_kernel_options %} ironic_inspector_kernel_cmdline_extras: diff --git a/doc/source/configuration/reference/network.rst b/doc/source/configuration/reference/network.rst index 595d1e110..19234a67e 100644 --- a/doc/source/configuration/reference/network.rst +++ b/doc/source/configuration/reference/network.rst @@ -39,6 +39,8 @@ supported: IP address of the gateway for the hardware introspection network. ``neutron_gateway`` IP address of the gateway for a neutron subnet based on this network. +``inspection_dns_servers`` + List of DNS servers used during hardware introspection. ``vlan`` VLAN ID. ``mtu`` @@ -828,19 +830,22 @@ If using the overcloud to inspect bare metal workload (compute) hosts, it is necessary to define a DHCP allocation pool for the overcloud's ironic inspector DHCP server using the ``inspection_allocation_pool_start`` and ``inspection_allocation_pool_end`` attributes of the workload provisioning -network. +network. If ``kolla_internal_fqdn`` is set, it is mandatory to also supply one +or more DNS servers using ``inspection_dns_servers``. .. note:: This example assumes that the ``example`` network is mapped to ``provision_wl_net_name``. -To configure a network called ``example`` with an inspection allocation pool: +To configure a network called ``example`` with an inspection allocation pool +and inspection DNS servers: .. code-block:: yaml example_inspection_allocation_pool_start: 10.0.1.196 example_inspection_allocation_pool_end: 10.0.1.254 + example_inspection_dns_servers: [10.0.1.10, 10.0.1.11] .. note:: diff --git a/kayobe/plugins/filter/networks.py b/kayobe/plugins/filter/networks.py index f949d7982..adf74460b 100644 --- a/kayobe/plugins/filter/networks.py +++ b/kayobe/plugins/filter/networks.py @@ -246,6 +246,12 @@ def net_inspection_allocation_pool_end(context, name, inventory_hostname=None): net_inspection_gateway = _make_attr_filter('inspection_gateway') +@jinja2.pass_context +def net_inspection_dns_servers(context, name, inventory_hostname=None): + return net_attr(context, name, 'inspection_dns_servers', + inventory_hostname) + + @jinja2.pass_context def net_neutron_allocation_pool_start(context, name, inventory_hostname=None): return net_attr(context, name, 'neutron_allocation_pool_start', @@ -791,6 +797,7 @@ def get_filters(): 'net_inspection_allocation_pool_end': ( net_inspection_allocation_pool_end), 'net_inspection_gateway': net_inspection_gateway, + 'net_inspection_dns_servers': net_inspection_dns_servers, 'net_neutron_allocation_pool_start': net_neutron_allocation_pool_start, 'net_neutron_allocation_pool_end': net_neutron_allocation_pool_end, 'net_neutron_gateway': net_neutron_gateway, diff --git a/releasenotes/notes/dns-config-ironic-dhcp-967a99a01005a6bc.yaml b/releasenotes/notes/dns-config-ironic-dhcp-967a99a01005a6bc.yaml new file mode 100644 index 000000000..5d234371e --- /dev/null +++ b/releasenotes/notes/dns-config-ironic-dhcp-967a99a01005a6bc.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Configure inspection network DNS servers to enable Ironic inspection + when ``kolla_internal_fqdn`` is set. From f773cd04888ebd6b3d728ac418ff320cba7252aa Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Mon, 15 Dec 2025 07:19:05 +0100 Subject: [PATCH 137/187] CI: Use centos:stream10 image for molecule Change-Id: Ie39a9975a6d9bec8e118d1d7e7a67fe2095b66a4 Signed-off-by: Pierre Riteau --- ansible/roles/kolla-openstack/molecule/default/molecule.yml | 4 ++-- .../kolla-openstack/molecule/enable-everything/molecule.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ansible/roles/kolla-openstack/molecule/default/molecule.yml b/ansible/roles/kolla-openstack/molecule/default/molecule.yml index 241f5d400..8827f3a99 100644 --- a/ansible/roles/kolla-openstack/molecule/default/molecule.yml +++ b/ansible/roles/kolla-openstack/molecule/default/molecule.yml @@ -8,8 +8,8 @@ driver: lint: | yamllint . platforms: - - name: centos-stream9 - image: quay.io/centos/centos:stream9 + - name: centos-stream10 + image: quay.io/centos/centos:stream10 network_mode: host provisioner: name: ansible diff --git a/ansible/roles/kolla-openstack/molecule/enable-everything/molecule.yml b/ansible/roles/kolla-openstack/molecule/enable-everything/molecule.yml index 9fcabb6b2..acf40bd1b 100644 --- a/ansible/roles/kolla-openstack/molecule/enable-everything/molecule.yml +++ b/ansible/roles/kolla-openstack/molecule/enable-everything/molecule.yml @@ -8,8 +8,8 @@ driver: lint: | yamllint . platforms: - - name: centos-stream9 - image: quay.io/centos/centos:stream9 + - name: centos-stream10 + image: quay.io/centos/centos:stream10 network_mode: host provisioner: name: ansible From 9eac84915e2af0ca8f8f4200d041b608b4df0be4 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 5 Dec 2025 09:03:35 +0100 Subject: [PATCH 138/187] Revert "[release] Use OpenStack 2025.2 release" This reverts commit 237e8b07e046b1736f74f648e4c489644e4aad3c. Reason for revert: 2025.2 has been branched and released Change-Id: I36e92d7f4eea44b7f0b1606e9f09a2e6fd6210f3 Signed-off-by: Pierre Riteau --- ansible/inventory/group_vars/all/openstack | 6 +++--- etc/kayobe/openstack.yml | 4 ++-- requirements.yml | 2 +- tox.ini | 10 +++++----- zuul.d/jobs.yaml | 8 -------- 5 files changed, 11 insertions(+), 19 deletions(-) diff --git a/ansible/inventory/group_vars/all/openstack b/ansible/inventory/group_vars/all/openstack index a62a39a31..430293d3f 100644 --- a/ansible/inventory/group_vars/all/openstack +++ b/ansible/inventory/group_vars/all/openstack @@ -2,10 +2,10 @@ ############################################################################### # OpenStack release configuration. -# Name of the current OpenStack release. Default is "2025.2". -openstack_release: "2025.2" +# Name of the current OpenStack release. Default is "master". +openstack_release: "master" -# Name of the current OpenStack branch. Default is "stable/2025.2". +# Name of the current OpenStack branch. Default is "master". openstack_branch: >- {% if openstack_release != 'master' %}stable/{% endif %}{{ openstack_release | lower }} diff --git a/etc/kayobe/openstack.yml b/etc/kayobe/openstack.yml index d58a145fe..1acfd0756 100644 --- a/etc/kayobe/openstack.yml +++ b/etc/kayobe/openstack.yml @@ -2,10 +2,10 @@ ############################################################################### # OpenStack release configuration. -# Name of the current OpenStack release. Default is "2025.2". +# Name of the current OpenStack release. Default is "master". #openstack_release: -# Name of the current OpenStack branch. Default is "stable/2025.2". +# Name of the current OpenStack branch. Default is "master". #openstack_branch: ############################################################################### diff --git a/requirements.yml b/requirements.yml index 300f6ea5a..a52a64662 100644 --- a/requirements.yml +++ b/requirements.yml @@ -2,7 +2,7 @@ collections: - name: https://opendev.org/openstack/ansible-collection-kolla type: git - version: stable/2025.2 + version: master - name: community.docker version: 3.11.0 - name: community.network diff --git a/tox.ini b/tox.ini index c15275dcf..a8ea73ca1 100644 --- a/tox.ini +++ b/tox.ini @@ -19,7 +19,7 @@ setenv = OS_TEST_TIMEOUT=60 ANSIBLE_VERBOSITY=3 deps = - -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/2025.2} + -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} -r{toxinidir}/requirements.txt -r{toxinidir}/test-requirements.txt commands = stestr run {posargs} @@ -27,7 +27,7 @@ commands = stestr run {posargs} [testenv:pep8] # sphinx8 needs the sphinx package which is required via doc/requirements.txt deps = - -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/2025.2} + -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} -r{toxinidir}/requirements.txt -r{toxinidir}/doc/requirements.txt -r{toxinidir}/test-requirements.txt @@ -42,7 +42,7 @@ commands = [testenv:venv] deps = - -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/2025.2} + -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} -r{toxinidir}/test-requirements.txt -r{toxinidir}/doc/requirements.txt commands = {posargs} @@ -60,7 +60,7 @@ commands = [testenv:molecule] deps = - -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/2025.2} + -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} -r{toxinidir}/requirements.txt -r{toxinidir}/molecule-requirements.txt commands = @@ -131,7 +131,7 @@ commands = [testenv:docs] deps = - -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/2025.2} + -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} -r{toxinidir}/doc/requirements.txt commands = rm -rf doc/build/html diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index 61b2bd44a..2af930cf3 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -71,19 +71,11 @@ required-projects: # Include kayobe to ensure other projects can use this job. - name: openstack/ansible-collection-kolla - # TODO(priteau): Remove when kayobe stable/2025.2 exists. - override-checkout: stable/2025.2 - name: openstack/kayobe - name: openstack/kayobe-config-dev - name: openstack/kolla - # TODO(priteau): Remove when kayobe stable/2025.2 exists. - override-checkout: stable/2025.2 - name: openstack/kolla-ansible - # TODO(priteau): Remove when kayobe stable/2025.2 exists. - override-checkout: stable/2025.2 - name: openstack/requirements - # TODO(priteau): Remove when kayobe stable/2025.2 exists. - override-checkout: stable/2025.2 - name: openstack/tenks irrelevant-files: - ^\..+ From 54e9cf621292052c9fb934a961d81d7b46f9422b Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Tue, 9 Dec 2025 21:52:23 +0100 Subject: [PATCH 139/187] CI: Ensure firewalld is unmasked Recent nodepool images are masking the firewalld service [1], but we need it for host configure jobs. [1] https://review.opendev.org/c/opendev/zuul-providers/+/967962 Change-Id: Ic72f2e3a262d6491da8bc39de19e23c3acbedf89 Signed-off-by: Pierre Riteau --- playbooks/kayobe-overcloud-host-configure-base/pre.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/playbooks/kayobe-overcloud-host-configure-base/pre.yml b/playbooks/kayobe-overcloud-host-configure-base/pre.yml index a0bfb9252..d564c45a8 100644 --- a/playbooks/kayobe-overcloud-host-configure-base/pre.yml +++ b/playbooks/kayobe-overcloud-host-configure-base/pre.yml @@ -43,3 +43,9 @@ become: true loop: "{{ range(2, 8) | list }}" when: ansible_facts.os_family == 'Debian' + + - name: Ensure firewalld is unmasked + ansible.builtin.systemd_service: + name: firewalld + masked: false + become: true From bc887cf89b099775d999e0a39c08cd525fbda0ce Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Tue, 16 Dec 2025 09:01:14 +0100 Subject: [PATCH 140/187] Document centos/rocky 10 support in 2025.1 Depends-On: https://review.opendev.org/c/openstack/kayobe/+/970263 Change-Id: I3477704578349a8febd69cd0c0909ba80637978e Signed-off-by: Pierre Riteau --- doc/source/support-matrix.rst | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/doc/source/support-matrix.rst b/doc/source/support-matrix.rst index fe973e3ef..a11503a91 100644 --- a/doc/source/support-matrix.rst +++ b/doc/source/support-matrix.rst @@ -19,14 +19,13 @@ therefore users need to build them by themselves. .. note:: CentOS Stream 9 is no longer supported as a host OS. The 2025.1 Epoxy - release will in future support both CentOS Stream 9 and 10 to provide a - route for migration. + release supports both CentOS Stream 9 and 10 to provide a route for + migration. .. note:: Rocky Linux 9 is no longer supported as a host OS. The 2025.1 Epoxy release - will in future support both CentOS Stream 9 and 10 to provide a route for - migration. + supports both CentOS Stream 9 and 10 to provide a route for migration. Supported container images ~~~~~~~~~~~~~~~~~~~~~~~~~~ From 1444d7947b154a251167cdb7aa54ef0b253aa079 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 18 Dec 2025 17:04:33 +0100 Subject: [PATCH 141/187] Use opendevmirror/ubuntu:24.04 image for molecule Molecule jobs were failing on centos:stream10 when CPU did not support x86-64-v3. Change-Id: I953ab956250d6dcc6e96212057db01f438c69d78 Signed-off-by: Pierre Riteau --- ansible/roles/kolla-openstack/molecule/default/molecule.yml | 4 ++-- .../kolla-openstack/molecule/enable-everything/molecule.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ansible/roles/kolla-openstack/molecule/default/molecule.yml b/ansible/roles/kolla-openstack/molecule/default/molecule.yml index 8827f3a99..6bef4caa3 100644 --- a/ansible/roles/kolla-openstack/molecule/default/molecule.yml +++ b/ansible/roles/kolla-openstack/molecule/default/molecule.yml @@ -8,8 +8,8 @@ driver: lint: | yamllint . platforms: - - name: centos-stream10 - image: quay.io/centos/centos:stream10 + - name: ubuntu-noble + image: quay.io/opendevmirror/ubuntu:24.04 network_mode: host provisioner: name: ansible diff --git a/ansible/roles/kolla-openstack/molecule/enable-everything/molecule.yml b/ansible/roles/kolla-openstack/molecule/enable-everything/molecule.yml index acf40bd1b..035a4cb09 100644 --- a/ansible/roles/kolla-openstack/molecule/enable-everything/molecule.yml +++ b/ansible/roles/kolla-openstack/molecule/enable-everything/molecule.yml @@ -8,8 +8,8 @@ driver: lint: | yamllint . platforms: - - name: centos-stream10 - image: quay.io/centos/centos:stream10 + - name: ubuntu-noble + image: quay.io/opendevmirror/ubuntu:24.04 network_mode: host provisioner: name: ansible From 41f2c3dc549988d7606201fe2ad7a4a2d11c6e6d Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Tue, 30 Dec 2025 16:37:39 +0100 Subject: [PATCH 142/187] CI: Disable kayobe-overcloud-tls-rocky10 job This job is failing following changes to kolla-ansible certificate generation [1]. The change itself is fine: the issue is caused by the way kayobe runs the `kolla-ansible certificates` command. [1] https://review.opendev.org/c/openstack/kolla-ansible/+/970099 Change-Id: I1f9816e7fb5131e6f745527c671659f32d0fb6df Signed-off-by: Pierre Riteau --- zuul.d/project.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 06cb37c91..a36ad72c9 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -21,7 +21,7 @@ - kayobe-overcloud-host-configure-ubuntu-noble - kayobe-overcloud-rocky10 - kayobe-overcloud-rocky10-podman - - kayobe-overcloud-tls-rocky10 + #- kayobe-overcloud-tls-rocky10 - kayobe-overcloud-ubuntu-noble - kayobe-overcloud-ubuntu-noble-podman - kayobe-overcloud-upgrade-ubuntu-noble @@ -46,7 +46,7 @@ - kayobe-overcloud-host-configure-ubuntu-noble - kayobe-overcloud-rocky10 - kayobe-overcloud-rocky10-podman - - kayobe-overcloud-tls-rocky10 + #- kayobe-overcloud-tls-rocky10 - kayobe-overcloud-ubuntu-noble - kayobe-overcloud-ubuntu-noble-podman - kayobe-overcloud-upgrade-ubuntu-noble From 47f836512e8106c8466da8248e12e51c6bcd12d4 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 31 Dec 2025 07:17:13 +0100 Subject: [PATCH 143/187] CI: Restore Rocky Linux upgrade jobs Change-Id: Ia3031732e04c05893caee56734a3c7df9c94ddb2 Signed-off-by: Pierre Riteau --- zuul.d/project.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index a36ad72c9..48e6fdd4e 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -24,11 +24,13 @@ #- kayobe-overcloud-tls-rocky10 - kayobe-overcloud-ubuntu-noble - kayobe-overcloud-ubuntu-noble-podman + - kayobe-overcloud-upgrade-rocky10 - kayobe-overcloud-upgrade-ubuntu-noble - kayobe-seed-rocky10 - kayobe-seed-rocky10-podman - kayobe-seed-ubuntu-noble - kayobe-seed-ubuntu-noble-podman + - kayobe-seed-upgrade-rocky10 - kayobe-seed-upgrade-ubuntu-noble - kayobe-seed-vm-rocky10 - kayobe-seed-vm-ubuntu-noble @@ -49,11 +51,13 @@ #- kayobe-overcloud-tls-rocky10 - kayobe-overcloud-ubuntu-noble - kayobe-overcloud-ubuntu-noble-podman + - kayobe-overcloud-upgrade-rocky10 - kayobe-overcloud-upgrade-ubuntu-noble - kayobe-seed-rocky10 - kayobe-seed-rocky10-podman - kayobe-seed-ubuntu-noble - kayobe-seed-ubuntu-noble-podman + - kayobe-seed-upgrade-rocky10 - kayobe-seed-upgrade-ubuntu-noble - kayobe-seed-vm-rocky10 - kayobe-seed-vm-ubuntu-noble @@ -66,14 +70,12 @@ - kayobe-infra-vm-ubuntu-noble-cloud-image - kayobe-overcloud-centos10s - kayobe-overcloud-tls-centos10s - - kayobe-overcloud-upgrade-rocky10 - kayobe-seed-centos10s - kayobe-seed-images-centos10s - kayobe-seed-images-rocky10 - kayobe-seed-images-rocky10-podman - kayobe-seed-images-ubuntu-noble - kayobe-seed-images-ubuntu-noble-podman - - kayobe-seed-upgrade-rocky10 - kayobe-seed-vm-centos10s - kayobe-seed-vm-centos10s-cloud-image - kayobe-seed-vm-centos10s-q35 From 600fc5ac2d9df06dccb08b01f1b8d585dd9d6d55 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 31 Dec 2025 15:46:03 +0100 Subject: [PATCH 144/187] CI: Fix overcloud deploy with TLS enabled This job was failing following changes to kolla-ansible certificate generation [1]. Fix by first running host configure while skipping the libvirt-host tag, then generating certificates, and finally running host configure again with only the libvirt-host tag, if required. [1] https://review.opendev.org/c/openstack/kolla-ansible/+/970099 Change-Id: Id5eda23b2b6647cbd0145d27afc849da66ea4440 Signed-off-by: Pierre Riteau --- dev/functions | 36 ++++++++++++++++++++---------------- zuul.d/project.yaml | 4 ++-- 2 files changed, 22 insertions(+), 18 deletions(-) diff --git a/dev/functions b/dev/functions index 000370eb6..20e571d26 100644 --- a/dev/functions +++ b/dev/functions @@ -231,6 +231,11 @@ function upgrade_kayobe_venv { # Deployment +function is_compute_libvirt_enabled { + compute_libvirt_enabled=$(kayobe configuration dump --host localhost --var-name compute_libvirt_enabled) + to_bool "$compute_libvirt_enabled" +} + function is_deploy_image_built_locally { ipa_build_images=$(kayobe configuration dump --host localhost --var-name ipa_build_images) to_bool "$ipa_build_images" @@ -431,26 +436,23 @@ function overcloud_deploy { control_host_bootstrap + # NOTE(mgoddard): There is a chicken and egg when generating libvirt TLS + # certificates using the kolla-ansible certificates command, and host + # libvirt. The certificates command needs to be able to gather facts for + # all hosts, but if the host configure step hasn't been run, we don't have + # SSH or the kolla user configured yet. However, we can't run host + # configure without the libvirt TLS certificates. + # Workaround: skip libvirt-host tag until later + echo "Configuring the controller host" + run_kayobe overcloud host configure --skip-tags libvirt-host + if [[ ${KAYOBE_OVERCLOUD_GENERATE_CERTIFICATES} = 1 ]]; then echo "Generate TLS certificates" run_kayobe playbook run $KAYOBE_SOURCE_PATH/ansible/kolla-ansible.yml -t config - # NOTE(mgoddard): There is a chicken and egg when generating libvirt - # TLS certificates using the kolla-ansible certificates command, and - # host libvirt. The certificates command needs to be able to gather - # facts for all hosts, but since the host configure step hasn't been - # run, we don't have SSH or the kolla user configured yet. However, we - # can't run host configure without the libvirt TLS certificates. - # Workaround: add the host to SSH known hosts and SSH as $USER. - run_kayobe playbook run $KAYOBE_SOURCE_PATH/ansible/ssh-known-host.yml -l overcloud - - # Avoid populating the fact cache with this weird setup. - export ANSIBLE_CACHE_PLUGIN=memory + run_kayobe kolla ansible run certificates \ --kolla-extra kolla_certificates_dir=${KAYOBE_CONFIG_PATH}/kolla/certificates \ - --kolla-extra ansible_user=$USER \ - --kolla-extra ansible_python_interpreter=/usr/bin/python3 \ --skip-tags kolla-openstack - unset ANSIBLE_CACHE_PLUGIN # Add CA cert to trust store. ca_cert=${KAYOBE_CONFIG_PATH}/kolla/certificates/ca/root.crt @@ -465,8 +467,10 @@ function overcloud_deploy { fi fi - echo "Configuring the controller host" - run_kayobe overcloud host configure + if is_compute_libvirt_enabled; then + echo "Configuring libvirt daemon" + run_kayobe overcloud host configure --tags libvirt-host + fi # FIXME(mgoddard): Perform host upgrade workarounds to ensure hostname # resolves to IP address of API interface for RabbitMQ. This seems to be diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index a36ad72c9..06cb37c91 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -21,7 +21,7 @@ - kayobe-overcloud-host-configure-ubuntu-noble - kayobe-overcloud-rocky10 - kayobe-overcloud-rocky10-podman - #- kayobe-overcloud-tls-rocky10 + - kayobe-overcloud-tls-rocky10 - kayobe-overcloud-ubuntu-noble - kayobe-overcloud-ubuntu-noble-podman - kayobe-overcloud-upgrade-ubuntu-noble @@ -46,7 +46,7 @@ - kayobe-overcloud-host-configure-ubuntu-noble - kayobe-overcloud-rocky10 - kayobe-overcloud-rocky10-podman - #- kayobe-overcloud-tls-rocky10 + - kayobe-overcloud-tls-rocky10 - kayobe-overcloud-ubuntu-noble - kayobe-overcloud-ubuntu-noble-podman - kayobe-overcloud-upgrade-ubuntu-noble From 21213e77b21c7dd126c1434737bd79e5714b6d57 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Mon, 5 Jan 2026 09:53:16 +0100 Subject: [PATCH 145/187] Bump up Ansible supported versions to 12.x/13.x This change bumps up the maximum supported version of Ansible to 13.x (ansible-core 2.20.x) and minimum to 12.x (ansible-core 2.19.x). Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/971606 Change-Id: I9463cc1ad0855e59f858c355e6e636466d6a490b Signed-off-by: Pierre Riteau --- ansible/roles/kolla-ansible/defaults/main.yml | 2 +- releasenotes/notes/bump-ansible-13-07ef8be6a3fa4529.yaml | 6 ++++++ requirements.txt | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/bump-ansible-13-07ef8be6a3fa4529.yaml diff --git a/ansible/roles/kolla-ansible/defaults/main.yml b/ansible/roles/kolla-ansible/defaults/main.yml index 7a0da3447..6ab577683 100644 --- a/ansible/roles/kolla-ansible/defaults/main.yml +++ b/ansible/roles/kolla-ansible/defaults/main.yml @@ -26,7 +26,7 @@ kolla_ansible_venv_extra_requirements: [] # tested code. Changes to this limit should be tested. It is possible to only # install ansible-core by setting kolla_ansible_venv_ansible to None. kolla_ansible_venv_ansible: -kolla_ansible_venv_ansible_core: 'ansible-core>=2.18,<2.20' +kolla_ansible_venv_ansible_core: 'ansible-core>=2.19,<2.21' # Path to a requirements.yml file for Ansible collections. kolla_ansible_requirements_yml: "{{ kolla_ansible_venv }}/share/kolla-ansible/requirements.yml" diff --git a/releasenotes/notes/bump-ansible-13-07ef8be6a3fa4529.yaml b/releasenotes/notes/bump-ansible-13-07ef8be6a3fa4529.yaml new file mode 100644 index 000000000..d7edd74e5 --- /dev/null +++ b/releasenotes/notes/bump-ansible-13-07ef8be6a3fa4529.yaml @@ -0,0 +1,6 @@ +--- +upgrade: + - | + Updates the maximum supported version of Ansible from 12 (ansible-core + 2.19) to 13 (ansible-core 2.20). The minimum supported version is updated + from 11.x to 12.x. This is true for both Kayobe and Kolla Ansible. diff --git a/requirements.txt b/requirements.txt index 75e9edefe..67091f5ae 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,6 +1,6 @@ pbr>=2.0 # Apache-2.0 Jinja2>3 # BSD -ansible>=11,<13 # GPLv3 +ansible>=12,<14 # GPLv3 cliff>=3.1.0 # Apache netaddr!=0.7.16,>=0.7.13 # BSD PyYAML>=3.10.0 # MIT From de304a47dcf3428310200d7923830df707e9016c Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Tue, 30 Dec 2025 16:37:39 +0100 Subject: [PATCH 146/187] CI: Disable kayobe-overcloud-tls-rocky10 job This job is failing following changes to kolla-ansible certificate generation [1]. The change itself is fine: the issue is caused by the way kayobe runs the `kolla-ansible certificates` command. [1] https://review.opendev.org/c/openstack/kolla-ansible/+/970099 Change-Id: I1f9816e7fb5131e6f745527c671659f32d0fb6df Signed-off-by: Pierre Riteau --- zuul.d/project.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 06cb37c91..a36ad72c9 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -21,7 +21,7 @@ - kayobe-overcloud-host-configure-ubuntu-noble - kayobe-overcloud-rocky10 - kayobe-overcloud-rocky10-podman - - kayobe-overcloud-tls-rocky10 + #- kayobe-overcloud-tls-rocky10 - kayobe-overcloud-ubuntu-noble - kayobe-overcloud-ubuntu-noble-podman - kayobe-overcloud-upgrade-ubuntu-noble @@ -46,7 +46,7 @@ - kayobe-overcloud-host-configure-ubuntu-noble - kayobe-overcloud-rocky10 - kayobe-overcloud-rocky10-podman - - kayobe-overcloud-tls-rocky10 + #- kayobe-overcloud-tls-rocky10 - kayobe-overcloud-ubuntu-noble - kayobe-overcloud-ubuntu-noble-podman - kayobe-overcloud-upgrade-ubuntu-noble From 703a247b724fb785427c32b5a3f9277a1dffe43b Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 31 Dec 2025 07:17:13 +0100 Subject: [PATCH 147/187] CI: Restore Rocky Linux upgrade jobs Change-Id: Ia3031732e04c05893caee56734a3c7df9c94ddb2 Signed-off-by: Pierre Riteau --- zuul.d/project.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index a36ad72c9..48e6fdd4e 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -24,11 +24,13 @@ #- kayobe-overcloud-tls-rocky10 - kayobe-overcloud-ubuntu-noble - kayobe-overcloud-ubuntu-noble-podman + - kayobe-overcloud-upgrade-rocky10 - kayobe-overcloud-upgrade-ubuntu-noble - kayobe-seed-rocky10 - kayobe-seed-rocky10-podman - kayobe-seed-ubuntu-noble - kayobe-seed-ubuntu-noble-podman + - kayobe-seed-upgrade-rocky10 - kayobe-seed-upgrade-ubuntu-noble - kayobe-seed-vm-rocky10 - kayobe-seed-vm-ubuntu-noble @@ -49,11 +51,13 @@ #- kayobe-overcloud-tls-rocky10 - kayobe-overcloud-ubuntu-noble - kayobe-overcloud-ubuntu-noble-podman + - kayobe-overcloud-upgrade-rocky10 - kayobe-overcloud-upgrade-ubuntu-noble - kayobe-seed-rocky10 - kayobe-seed-rocky10-podman - kayobe-seed-ubuntu-noble - kayobe-seed-ubuntu-noble-podman + - kayobe-seed-upgrade-rocky10 - kayobe-seed-upgrade-ubuntu-noble - kayobe-seed-vm-rocky10 - kayobe-seed-vm-ubuntu-noble @@ -66,14 +70,12 @@ - kayobe-infra-vm-ubuntu-noble-cloud-image - kayobe-overcloud-centos10s - kayobe-overcloud-tls-centos10s - - kayobe-overcloud-upgrade-rocky10 - kayobe-seed-centos10s - kayobe-seed-images-centos10s - kayobe-seed-images-rocky10 - kayobe-seed-images-rocky10-podman - kayobe-seed-images-ubuntu-noble - kayobe-seed-images-ubuntu-noble-podman - - kayobe-seed-upgrade-rocky10 - kayobe-seed-vm-centos10s - kayobe-seed-vm-centos10s-cloud-image - kayobe-seed-vm-centos10s-q35 From ba4e677934a623e312a65bb7ef606cb02fe64562 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 31 Dec 2025 15:46:03 +0100 Subject: [PATCH 148/187] CI: Fix overcloud deploy with TLS enabled This job was failing following changes to kolla-ansible certificate generation [1]. Fix by first running host configure while skipping the libvirt-host tag, then generating certificates, and finally running host configure again with only the libvirt-host tag, if required. [1] https://review.opendev.org/c/openstack/kolla-ansible/+/970099 Change-Id: Id5eda23b2b6647cbd0145d27afc849da66ea4440 Signed-off-by: Pierre Riteau --- dev/functions | 36 ++++++++++++++++++++---------------- zuul.d/project.yaml | 4 ++-- 2 files changed, 22 insertions(+), 18 deletions(-) diff --git a/dev/functions b/dev/functions index 000370eb6..20e571d26 100644 --- a/dev/functions +++ b/dev/functions @@ -231,6 +231,11 @@ function upgrade_kayobe_venv { # Deployment +function is_compute_libvirt_enabled { + compute_libvirt_enabled=$(kayobe configuration dump --host localhost --var-name compute_libvirt_enabled) + to_bool "$compute_libvirt_enabled" +} + function is_deploy_image_built_locally { ipa_build_images=$(kayobe configuration dump --host localhost --var-name ipa_build_images) to_bool "$ipa_build_images" @@ -431,26 +436,23 @@ function overcloud_deploy { control_host_bootstrap + # NOTE(mgoddard): There is a chicken and egg when generating libvirt TLS + # certificates using the kolla-ansible certificates command, and host + # libvirt. The certificates command needs to be able to gather facts for + # all hosts, but if the host configure step hasn't been run, we don't have + # SSH or the kolla user configured yet. However, we can't run host + # configure without the libvirt TLS certificates. + # Workaround: skip libvirt-host tag until later + echo "Configuring the controller host" + run_kayobe overcloud host configure --skip-tags libvirt-host + if [[ ${KAYOBE_OVERCLOUD_GENERATE_CERTIFICATES} = 1 ]]; then echo "Generate TLS certificates" run_kayobe playbook run $KAYOBE_SOURCE_PATH/ansible/kolla-ansible.yml -t config - # NOTE(mgoddard): There is a chicken and egg when generating libvirt - # TLS certificates using the kolla-ansible certificates command, and - # host libvirt. The certificates command needs to be able to gather - # facts for all hosts, but since the host configure step hasn't been - # run, we don't have SSH or the kolla user configured yet. However, we - # can't run host configure without the libvirt TLS certificates. - # Workaround: add the host to SSH known hosts and SSH as $USER. - run_kayobe playbook run $KAYOBE_SOURCE_PATH/ansible/ssh-known-host.yml -l overcloud - - # Avoid populating the fact cache with this weird setup. - export ANSIBLE_CACHE_PLUGIN=memory + run_kayobe kolla ansible run certificates \ --kolla-extra kolla_certificates_dir=${KAYOBE_CONFIG_PATH}/kolla/certificates \ - --kolla-extra ansible_user=$USER \ - --kolla-extra ansible_python_interpreter=/usr/bin/python3 \ --skip-tags kolla-openstack - unset ANSIBLE_CACHE_PLUGIN # Add CA cert to trust store. ca_cert=${KAYOBE_CONFIG_PATH}/kolla/certificates/ca/root.crt @@ -465,8 +467,10 @@ function overcloud_deploy { fi fi - echo "Configuring the controller host" - run_kayobe overcloud host configure + if is_compute_libvirt_enabled; then + echo "Configuring libvirt daemon" + run_kayobe overcloud host configure --tags libvirt-host + fi # FIXME(mgoddard): Perform host upgrade workarounds to ensure hostname # resolves to IP address of API interface for RabbitMQ. This seems to be diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 48e6fdd4e..b9c1fc2f2 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -21,7 +21,7 @@ - kayobe-overcloud-host-configure-ubuntu-noble - kayobe-overcloud-rocky10 - kayobe-overcloud-rocky10-podman - #- kayobe-overcloud-tls-rocky10 + - kayobe-overcloud-tls-rocky10 - kayobe-overcloud-ubuntu-noble - kayobe-overcloud-ubuntu-noble-podman - kayobe-overcloud-upgrade-rocky10 @@ -48,7 +48,7 @@ - kayobe-overcloud-host-configure-ubuntu-noble - kayobe-overcloud-rocky10 - kayobe-overcloud-rocky10-podman - #- kayobe-overcloud-tls-rocky10 + - kayobe-overcloud-tls-rocky10 - kayobe-overcloud-ubuntu-noble - kayobe-overcloud-ubuntu-noble-podman - kayobe-overcloud-upgrade-rocky10 From c69eaf93427412209aab6df97ee2dd872fc26f43 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 7 Jan 2026 13:32:09 +0100 Subject: [PATCH 149/187] Add infra-vms to ntp group Closes-Bug: #2137637 Change-Id: I3936250ca7b9f851db8e4d73e1e8c28ce823fa4a Signed-off-by: Pierre Riteau --- etc/kayobe/inventory/groups | 1 + .../notes/infra-vms-ntp-group-a2bd39f7c659a8d3.yaml | 7 +++++++ 2 files changed, 8 insertions(+) create mode 100644 releasenotes/notes/infra-vms-ntp-group-a2bd39f7c659a8d3.yaml diff --git a/etc/kayobe/inventory/groups b/etc/kayobe/inventory/groups index a870bc8b5..0f57def4a 100644 --- a/etc/kayobe/inventory/groups +++ b/etc/kayobe/inventory/groups @@ -85,6 +85,7 @@ seed seed seed-hypervisor overcloud +infra-vms ############################################################################### # Baremetal compute node groups. diff --git a/releasenotes/notes/infra-vms-ntp-group-a2bd39f7c659a8d3.yaml b/releasenotes/notes/infra-vms-ntp-group-a2bd39f7c659a8d3.yaml new file mode 100644 index 000000000..870d5ec28 --- /dev/null +++ b/releasenotes/notes/infra-vms-ntp-group-a2bd39f7c659a8d3.yaml @@ -0,0 +1,7 @@ +--- +issues: + - | + NTP configuration was missing from infrastructure VMs because ``infra-vms`` + was not present under the ``[ntp]`` group. Operators should ensure the most + recent upstream ``kayobe-config`` is merged into their local configuration + to resolve this issue. From 6d62a9c9dd9813f22792b07cc9e162e5adc618da Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 7 Jan 2026 19:28:12 +0100 Subject: [PATCH 150/187] CI: Always use openstack-ci-mirrors element Version 3.40.1 of diskimage-builder includes the fix to the openstack-ci-mirrors element. Change-Id: I6dd6808f8ad5325314435650db47dc71e126d6d5 Signed-off-by: Pierre Riteau --- playbooks/kayobe-seed-base/overrides.yml.j2 | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/playbooks/kayobe-seed-base/overrides.yml.j2 b/playbooks/kayobe-seed-base/overrides.yml.j2 index 9cfad25f8..b56fda355 100644 --- a/playbooks/kayobe-seed-base/overrides.yml.j2 +++ b/playbooks/kayobe-seed-base/overrides.yml.j2 @@ -46,9 +46,7 @@ ipa_build_images: {{ build_images }} ipa_build_dib_elements_extra: # extra-hardware is currently failing on Ubuntu - "{% raw %}{{ 'extra-hardware' if os_distribution != 'ubuntu' else '' }}{% endraw %}" - # Broken openstack-ci-mirrors for CentOS Stream 10. TODO(priteau): Remove - # conditional once https://review.opendev.org/965344 is released. - - "{% raw %}{{ 'openstack-ci-mirrors' if os_distribution != 'centos' else '' }}{% endraw %}" + - "openstack-ci-mirrors" # Workaround for limited tmpfs space in CI ipa_build_dib_env_extra: @@ -57,9 +55,7 @@ ipa_build_dib_env_extra: # Build overcloud host image. overcloud_dib_build_host_images: {{ build_images }} overcloud_dib_elements_extra: - # Broken openstack-ci-mirrors for CentOS Stream 10. TODO(priteau): Remove - # conditional once https://review.opendev.org/965344 is released. - - "{% raw %}{{ 'openstack-ci-mirrors' if os_distribution != 'centos' else '' }}{% endraw %}" + - "openstack-ci-mirrors" # NOTE(bbezak): Kolla does not build CentOS Stream 10 container images. # Using Rocky Linux 10 images on CentOS Stream 10 in CI. From 60a71c7adae37139fae4556fcac41963a5334fbd Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Tue, 20 Jan 2026 11:14:54 +0100 Subject: [PATCH 151/187] CI: Fix multiple issues The openstack-tox-py313 job runs on Debian Trixie, which does not have the libpcre3-dev package. Update bindep.txt to install it only for Ubuntu. This package is required for running pep8 and building docs. Disable seed jobs which are broken because of the addition of an OCI artifact registry in Bifrost. This is being resolved separately. Disable test of baremetal machine inspection: it is currently failing with power off timeout. Change-Id: I14519b2c511c06b409fe95ec57d42309081575f6 Signed-off-by: Pierre Riteau --- bindep.txt | 2 +- playbooks/kayobe-overcloud-base/run.yml | 2 +- zuul.d/project.yaml | 24 ++++++++++++------------ 3 files changed, 14 insertions(+), 14 deletions(-) diff --git a/bindep.txt b/bindep.txt index e3d190257..74baf3904 100644 --- a/bindep.txt +++ b/bindep.txt @@ -1,4 +1,4 @@ -libpcre3-dev [platform:dpkg test] +libpcre3-dev [platform:ubuntu test] pcre-devel [platform:rpm test] # PDF Docs package dependencies diff --git a/playbooks/kayobe-overcloud-base/run.yml b/playbooks/kayobe-overcloud-base/run.yml index e5c617bc8..3fa4fdaee 100644 --- a/playbooks/kayobe-overcloud-base/run.yml +++ b/playbooks/kayobe-overcloud-base/run.yml @@ -42,7 +42,7 @@ chdir: "{{ kayobe_src_dir }}" executable: /bin/bash # TODO(priteau): Fix baremetal inspect issues with UEFI - when: ironic_boot_mode == 'bios' + when: ironic_boot_mode == 'bios' and false # TODO(priteau): Re-enable when working - name: Perform testing of the baremetal machines shell: diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index b9c1fc2f2..ae306505c 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -26,12 +26,12 @@ - kayobe-overcloud-ubuntu-noble-podman - kayobe-overcloud-upgrade-rocky10 - kayobe-overcloud-upgrade-ubuntu-noble - - kayobe-seed-rocky10 - - kayobe-seed-rocky10-podman - - kayobe-seed-ubuntu-noble - - kayobe-seed-ubuntu-noble-podman - - kayobe-seed-upgrade-rocky10 - - kayobe-seed-upgrade-ubuntu-noble + #- kayobe-seed-rocky10 + #- kayobe-seed-rocky10-podman + #- kayobe-seed-ubuntu-noble + #- kayobe-seed-ubuntu-noble-podman + #- kayobe-seed-upgrade-rocky10 + #- kayobe-seed-upgrade-ubuntu-noble - kayobe-seed-vm-rocky10 - kayobe-seed-vm-ubuntu-noble gate: @@ -53,12 +53,12 @@ - kayobe-overcloud-ubuntu-noble-podman - kayobe-overcloud-upgrade-rocky10 - kayobe-overcloud-upgrade-ubuntu-noble - - kayobe-seed-rocky10 - - kayobe-seed-rocky10-podman - - kayobe-seed-ubuntu-noble - - kayobe-seed-ubuntu-noble-podman - - kayobe-seed-upgrade-rocky10 - - kayobe-seed-upgrade-ubuntu-noble + #- kayobe-seed-rocky10 + #- kayobe-seed-rocky10-podman + #- kayobe-seed-ubuntu-noble + #- kayobe-seed-ubuntu-noble-podman + #- kayobe-seed-upgrade-rocky10 + #- kayobe-seed-upgrade-ubuntu-noble - kayobe-seed-vm-rocky10 - kayobe-seed-vm-ubuntu-noble From d7686f5f241244b199749428b3d0fb895238b64a Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 21 Jan 2026 10:08:32 +0100 Subject: [PATCH 152/187] CI: Re-enable seed jobs Bifrost added an OCI artifact registry [1] which runs as a Podman container. This currently does not work inside a Docker container, so it is disabled by the kolla-ansible bifrost role. [1] https://review.opendev.org/c/openstack/bifrost/+/961388 Closes-Bug: #2138705 Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/974029 Change-Id: I3aa9f84bedbc5bc7b472e8aefa1c16499f40a153 Signed-off-by: Pierre Riteau --- zuul.d/project.yaml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index ae306505c..b9c1fc2f2 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -26,12 +26,12 @@ - kayobe-overcloud-ubuntu-noble-podman - kayobe-overcloud-upgrade-rocky10 - kayobe-overcloud-upgrade-ubuntu-noble - #- kayobe-seed-rocky10 - #- kayobe-seed-rocky10-podman - #- kayobe-seed-ubuntu-noble - #- kayobe-seed-ubuntu-noble-podman - #- kayobe-seed-upgrade-rocky10 - #- kayobe-seed-upgrade-ubuntu-noble + - kayobe-seed-rocky10 + - kayobe-seed-rocky10-podman + - kayobe-seed-ubuntu-noble + - kayobe-seed-ubuntu-noble-podman + - kayobe-seed-upgrade-rocky10 + - kayobe-seed-upgrade-ubuntu-noble - kayobe-seed-vm-rocky10 - kayobe-seed-vm-ubuntu-noble gate: @@ -53,12 +53,12 @@ - kayobe-overcloud-ubuntu-noble-podman - kayobe-overcloud-upgrade-rocky10 - kayobe-overcloud-upgrade-ubuntu-noble - #- kayobe-seed-rocky10 - #- kayobe-seed-rocky10-podman - #- kayobe-seed-ubuntu-noble - #- kayobe-seed-ubuntu-noble-podman - #- kayobe-seed-upgrade-rocky10 - #- kayobe-seed-upgrade-ubuntu-noble + - kayobe-seed-rocky10 + - kayobe-seed-rocky10-podman + - kayobe-seed-ubuntu-noble + - kayobe-seed-ubuntu-noble-podman + - kayobe-seed-upgrade-rocky10 + - kayobe-seed-upgrade-ubuntu-noble - kayobe-seed-vm-rocky10 - kayobe-seed-vm-ubuntu-noble From c113917133d52dab516d95620eac797da0bfe5dd Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 22 Jan 2026 09:05:39 +0100 Subject: [PATCH 153/187] Add Python 3.13 classifier Python 3.13 is in the supported runtimes for 2026.1 Gazpacho [1] and is tested in CI. [1] https://governance.openstack.org/tc/reference/runtimes/2026.1.html Change-Id: I84aa1e162711459d844586bc35f12740665a767d Signed-off-by: Pierre Riteau --- setup.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/setup.cfg b/setup.cfg index 82526ed5b..7e493174f 100644 --- a/setup.cfg +++ b/setup.cfg @@ -19,6 +19,7 @@ classifier = Programming Language :: Python :: 3 :: Only Programming Language :: Python :: 3 Programming Language :: Python :: 3.12 + Programming Language :: Python :: 3.13 [files] packages = From b50cd2de65a0c6e922c8fa0976fca076d40530f0 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 22 Jan 2026 09:18:08 +0100 Subject: [PATCH 154/187] Replace obsolete PCRE packages pcre3 was removed from recent Debian-based releases (e.g. Trixie [1]), while RHEL10/CentOS Stream 10 no longer ships pcre in favor of pcre2. Use the latest whereto library release (0.5.0) which uses pcre2 instead. [1] https://lists.debian.org/debian-devel/2021/11/msg00176.html Co-Authored-By: Takashi Kajinami Depends-On: https://review.opendev.org/c/openstack/requirements/+/971428 Change-Id: I4ae0eed23a6bb479d35c1a097ebc967ed723fde5 Signed-off-by: Pierre Riteau --- bindep.txt | 5 +++-- doc/requirements.txt | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/bindep.txt b/bindep.txt index 74baf3904..d99bfd217 100644 --- a/bindep.txt +++ b/bindep.txt @@ -1,5 +1,6 @@ -libpcre3-dev [platform:ubuntu test] -pcre-devel [platform:rpm test] +# whereto dependencies +libpcre2-dev [platform:dpkg test] +pcre2-devel [platform:rpm test] # PDF Docs package dependencies tex-gyre [platform:dpkg doc] diff --git a/doc/requirements.txt b/doc/requirements.txt index 51a2c6498..604a1d205 100644 --- a/doc/requirements.txt +++ b/doc/requirements.txt @@ -6,4 +6,4 @@ openstackdocstheme>=2.2.1 # Apache-2.0 reno>=3.1.0 # Apache-2.0 sphinx>=2.0.0,!=2.1.0 # BSD sphinxcontrib-svg2pdfconverter>=0.1.0 # BSD -whereto>=0.3.0 # Apache-2.0 +whereto>=0.5.0 # Apache-2.0 From aeaf7cb5f9be1116e23e19b52f5b50dda2795a7f Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 22 Jan 2026 09:56:39 +0100 Subject: [PATCH 155/187] CI: Set previous_release for 2026.1 Gazpacho Change-Id: I64c9960564ad1cf2dbf8ca5d1bc44bc95ce57cf2 Signed-off-by: Pierre Riteau --- zuul.d/jobs.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index 2af930cf3..b917e34fd 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -105,7 +105,7 @@ tenks_src_dir: "{{ ansible_env.PWD ~ '/' ~ zuul.projects['opendev.org/openstack/tenks'].src_dir }}" is_upgrade: "{{ 'upgrade' in zuul.job }}" is_slurp: "{{ 'slurp' in zuul.job }}" - previous_release: "{{ '2025.1' if is_slurp else '2025.1' }}" + previous_release: "{{ '2025.1' if is_slurp else '2025.2' }}" tls_enabled: false container_engine: 'docker' ironic_boot_mode: "bios" From bbc0a879a591c3df980af436102f356879153873 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 22 Jan 2026 15:14:06 +0100 Subject: [PATCH 156/187] CI: Add SLURP upgrade jobs from 2025.1 to 2026.1 Change-Id: Ibbf05a6454fc945b7ea7b59ec19d3d3d78412127 Signed-off-by: Pierre Riteau --- zuul.d/project.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index b9c1fc2f2..37f0d0b23 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -25,12 +25,16 @@ - kayobe-overcloud-ubuntu-noble - kayobe-overcloud-ubuntu-noble-podman - kayobe-overcloud-upgrade-rocky10 + - kayobe-overcloud-upgrade-slurp-rocky10 + - kayobe-overcloud-upgrade-slurp-ubuntu-noble - kayobe-overcloud-upgrade-ubuntu-noble - kayobe-seed-rocky10 - kayobe-seed-rocky10-podman - kayobe-seed-ubuntu-noble - kayobe-seed-ubuntu-noble-podman - kayobe-seed-upgrade-rocky10 + - kayobe-seed-upgrade-slurp-rocky10 + - kayobe-seed-upgrade-slurp-ubuntu-noble - kayobe-seed-upgrade-ubuntu-noble - kayobe-seed-vm-rocky10 - kayobe-seed-vm-ubuntu-noble @@ -52,12 +56,16 @@ - kayobe-overcloud-ubuntu-noble - kayobe-overcloud-ubuntu-noble-podman - kayobe-overcloud-upgrade-rocky10 + - kayobe-overcloud-upgrade-slurp-rocky10 + - kayobe-overcloud-upgrade-slurp-ubuntu-noble - kayobe-overcloud-upgrade-ubuntu-noble - kayobe-seed-rocky10 - kayobe-seed-rocky10-podman - kayobe-seed-ubuntu-noble - kayobe-seed-ubuntu-noble-podman - kayobe-seed-upgrade-rocky10 + - kayobe-seed-upgrade-slurp-rocky10 + - kayobe-seed-upgrade-slurp-ubuntu-noble - kayobe-seed-upgrade-ubuntu-noble - kayobe-seed-vm-rocky10 - kayobe-seed-vm-ubuntu-noble From 6b4028754321b3e20b45f93b6fba159985e850af Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 21 Jan 2026 12:56:13 +0100 Subject: [PATCH 157/187] Support swap configuration for all host groups An earlier change [1] added support for swap configuration, but the swap playbook was only imported in ansible/overcloud-host-configure.yml. This completes swap support for the seed hypervisor, seed and infra VM hosts and adds missing variables in etc/kayobe/*.yml files. [1] https://review.opendev.org/c/openstack/kayobe/+/851195 Closes-Bug: #2138800 Change-Id: I3971d05f3c09a6841f6666a18f2d2b44b226411d Signed-off-by: Pierre Riteau --- ansible/infra-vm-host-configure.yml | 1 + ansible/seed-host-configure.yml | 1 + ansible/seed-hypervisor-host-configure.yml | 1 + etc/kayobe/compute.yml | 6 ++++++ etc/kayobe/controllers.yml | 6 ++++++ etc/kayobe/infra-vms.yml | 6 ++++++ etc/kayobe/monitoring.yml | 6 ++++++ etc/kayobe/seed-hypervisor.yml | 6 ++++++ etc/kayobe/seed.yml | 6 ++++++ etc/kayobe/storage.yml | 6 ++++++ releasenotes/notes/fix-swap-support-35ccff76a9b46b4c.yaml | 5 +++++ 11 files changed, 50 insertions(+) create mode 100644 releasenotes/notes/fix-swap-support-35ccff76a9b46b4c.yaml diff --git a/ansible/infra-vm-host-configure.yml b/ansible/infra-vm-host-configure.yml index 35d13a092..644c7f03a 100644 --- a/ansible/infra-vm-host-configure.yml +++ b/ansible/infra-vm-host-configure.yml @@ -21,4 +21,5 @@ - import_playbook: "mdadm.yml" - import_playbook: "luks.yml" - import_playbook: "lvm.yml" +- import_playbook: "swap.yml" - import_playbook: "container-engine.yml" diff --git a/ansible/seed-host-configure.yml b/ansible/seed-host-configure.yml index 64604d74e..00c7eed6c 100644 --- a/ansible/seed-host-configure.yml +++ b/ansible/seed-host-configure.yml @@ -22,6 +22,7 @@ - import_playbook: "mdadm.yml" - import_playbook: "luks.yml" - import_playbook: "lvm.yml" +- import_playbook: "swap.yml" - import_playbook: "kolla-ansible-user.yml" - import_playbook: "kolla-pip.yml" - import_playbook: "kolla-target-venv.yml" diff --git a/ansible/seed-hypervisor-host-configure.yml b/ansible/seed-hypervisor-host-configure.yml index 9bcb1f50c..a91f5781a 100644 --- a/ansible/seed-hypervisor-host-configure.yml +++ b/ansible/seed-hypervisor-host-configure.yml @@ -21,4 +21,5 @@ - import_playbook: "mdadm.yml" - import_playbook: "luks.yml" - import_playbook: "lvm.yml" +- import_playbook: "swap.yml" - import_playbook: "seed-hypervisor-libvirt-host.yml" diff --git a/etc/kayobe/compute.yml b/etc/kayobe/compute.yml index 383abd16f..f8a7deb29 100644 --- a/etc/kayobe/compute.yml +++ b/etc/kayobe/compute.yml @@ -212,6 +212,12 @@ # compute_libvirt_ceph_repo_install is true. Default is 'squid'. #compute_libvirt_ceph_repo_release: +############################################################################### +# Compute node swap configuration. + +# List of swap devices. Each item is a dict containing a 'device' item. +#compute_swap: + ############################################################################### # Dummy variable to allow Ansible to accept this file. workaround_ansible_issue_8743: yes diff --git a/etc/kayobe/controllers.yml b/etc/kayobe/controllers.yml index caa03a6ff..066c42d33 100644 --- a/etc/kayobe/controllers.yml +++ b/etc/kayobe/controllers.yml @@ -171,6 +171,12 @@ # - state: enabled #controller_firewalld_rules: +############################################################################### +# Controller node swap configuration. + +# List of swap devices. Each item is a dict containing a 'device' item. +#controller_swap: + ############################################################################### # Dummy variable to allow Ansible to accept this file. workaround_ansible_issue_8743: yes diff --git a/etc/kayobe/infra-vms.yml b/etc/kayobe/infra-vms.yml index 076a3e695..25c39f478 100644 --- a/etc/kayobe/infra-vms.yml +++ b/etc/kayobe/infra-vms.yml @@ -176,6 +176,12 @@ # - state: enabled #infra_vm_firewalld_rules: +############################################################################### +# Infrastructure VM node swap configuration. + +# List of swap devices. Each item is a dict containing a 'device' item. +#infra_vm_swap: + ############################################################################### # Dummy variable to allow Ansible to accept this file. workaround_ansible_issue_8743: yes diff --git a/etc/kayobe/monitoring.yml b/etc/kayobe/monitoring.yml index 5a19d7023..8c63bd589 100644 --- a/etc/kayobe/monitoring.yml +++ b/etc/kayobe/monitoring.yml @@ -117,6 +117,12 @@ # - state: enabled #monitoring_firewalld_rules: +############################################################################### +# Monitoring node swap configuration. + +# List of swap devices. Each item is a dict containing a 'device' item. +#monitoring_swap: + ############################################################################### # Dummy variable to allow Ansible to accept this file. workaround_ansible_issue_8743: yes diff --git a/etc/kayobe/seed-hypervisor.yml b/etc/kayobe/seed-hypervisor.yml index cded893f9..5905eefe0 100644 --- a/etc/kayobe/seed-hypervisor.yml +++ b/etc/kayobe/seed-hypervisor.yml @@ -136,6 +136,12 @@ # - state: enabled #seed_hypervisor_firewalld_rules: +############################################################################### +# Seed hypervisor node swap configuration. + +# List of swap devices. Each item is a dict containing a 'device' item. +#seed_hypervisor_swap: + ############################################################################### # Dummy variable to allow Ansible to accept this file. workaround_ansible_issue_8743: yes diff --git a/etc/kayobe/seed.yml b/etc/kayobe/seed.yml index 9f4f7055b..6b4eb9f9b 100644 --- a/etc/kayobe/seed.yml +++ b/etc/kayobe/seed.yml @@ -131,6 +131,12 @@ # - state: enabled #seed_firewalld_rules: +############################################################################### +# Seed node swap configuration. + +# List of swap devices. Each item is a dict containing a 'device' item. +#seed_swap: + ############################################################################### # Dummy variable to allow Ansible to accept this file. workaround_ansible_issue_8743: yes diff --git a/etc/kayobe/storage.yml b/etc/kayobe/storage.yml index 1866e6df3..170ed2ab2 100644 --- a/etc/kayobe/storage.yml +++ b/etc/kayobe/storage.yml @@ -147,6 +147,12 @@ # - state: enabled #storage_firewalld_rules: +############################################################################### +# Storage node swap configuration. + +# List of swap devices. Each item is a dict containing a 'device' item. +#storage_swap: + ############################################################################### # Dummy variable to allow Ansible to accept this file. workaround_ansible_issue_8743: yes diff --git a/releasenotes/notes/fix-swap-support-35ccff76a9b46b4c.yaml b/releasenotes/notes/fix-swap-support-35ccff76a9b46b4c.yaml new file mode 100644 index 000000000..574bf101c --- /dev/null +++ b/releasenotes/notes/fix-swap-support-35ccff76a9b46b4c.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fixes swap configuration for the seed hypervisor, seed and infra VM hosts. + `LP#2138800 `__ From 2e93afb84a45ce5ac29d0f3e22cfd13bc1663bd3 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 14 Jan 2026 19:17:36 +0100 Subject: [PATCH 158/187] Sync host configuration with Ansible defaults This synchronises the following files with the Ansible inventory defaults in ansible/inventory/group_vars/all: - compute.yml - controllers.yml - infra-vms.yml - monitoring.yml - seed-hypervisor.yml - seed.yml Change-Id: I9ef77d6119be910710eaffa8bc70bb207323f268 Signed-off-by: Pierre Riteau --- ansible/inventory/group_vars/all/controllers | 1 + .../inventory/group_vars/all/seed-hypervisor | 3 ++- ansible/inventory/group_vars/all/seed-vm | 15 ++++++++++++++- etc/kayobe/controllers.yml | 18 ++++++++++++++++-- etc/kayobe/infra-vms.yml | 12 ++++++++++++ etc/kayobe/seed.yml | 12 ++++++++++++ 6 files changed, 57 insertions(+), 4 deletions(-) diff --git a/ansible/inventory/group_vars/all/controllers b/ansible/inventory/group_vars/all/controllers index 5d2f2b804..a7b2097bd 100644 --- a/ansible/inventory/group_vars/all/controllers +++ b/ansible/inventory/group_vars/all/controllers @@ -162,6 +162,7 @@ controller_lvm_group_data_lv_docker_volumes: mount: True mntp: "{{ docker_volumes_path }}" +# Podman volumes LVM backing volume. controller_lvm_group_data_lv_podman_volumes: lvname: podman-volumes size: "{{ controller_lvm_group_data_lv_podman_volumes_size }}" diff --git a/ansible/inventory/group_vars/all/seed-hypervisor b/ansible/inventory/group_vars/all/seed-hypervisor index 0c2a0e6f9..80fe27851 100644 --- a/ansible/inventory/group_vars/all/seed-hypervisor +++ b/ansible/inventory/group_vars/all/seed-hypervisor @@ -44,7 +44,8 @@ seed_hypervisor_luks_devices: [] # volume group for libvirt storage. seed_hypervisor_lvm_groups: [] -# Suggested list of seed hypervisor volume groups for libvirt. Not used by default. +# Suggested list of seed hypervisor volume groups for libvirt. Not used by +# default. seed_hypervisor_lvm_groups_with_data: - "{{ seed_hypervisor_lvm_group_data }}" diff --git a/ansible/inventory/group_vars/all/seed-vm b/ansible/inventory/group_vars/all/seed-vm index 674d0384b..73c50ed73 100644 --- a/ansible/inventory/group_vars/all/seed-vm +++ b/ansible/inventory/group_vars/all/seed-vm @@ -62,7 +62,20 @@ seed_vm_data_capacity: 100G # Format of the seed VM data volume. seed_vm_data_format: qcow2 -# List of network interfaces to attach to the seed VM. +# List of network interfaces to attach to the seed VM. Format is as accepted by +# the stackhpc.libvirt-vm role's libvirt_vms.interfaces variable. Default is +# one interface for each network in 'network_interfaces'. +# +# Example with one interface connected to a libvirt network called +# 'libvirt-net', and another interface directly plugged into a host device +# called 'eth1': +# +# seed_vm_interfaces: +# - network: libvirt-net +# - type: direct +# source: +# dev: eth1 +# seed_vm_interfaces: "{{ network_interfaces | sort | map('net_libvirt_vm_network') | list }}" # Boot firmware. Possible values are 'bios' or 'efi'. Default is 'efi'. diff --git a/etc/kayobe/controllers.yml b/etc/kayobe/controllers.yml index 066c42d33..1cc50c30b 100644 --- a/etc/kayobe/controllers.yml +++ b/etc/kayobe/controllers.yml @@ -106,8 +106,7 @@ # Whether a 'data' LVM volume group should exist on controller hosts. By # default this contains a 'docker-volumes' logical volume for Docker volume -# storage. -# Default is false. +# storage. Default is false. #controller_lvm_group_data_enabled: # Controller LVM volume group for data. See mrlesmithjr.manage_lvm role for @@ -118,18 +117,33 @@ # invalid value to require configuration. #controller_lvm_group_data_disks: +# List of LVM logical volumes for the data volume group when using docker. +#controller_lvm_group_data_docker_lvs: + +# List of LVM logical volumes for the data volume group when using podman. +#controller_lvm_group_data_podman_lvs: + # List of LVM logical volumes for the data volume group. #controller_lvm_group_data_lvs: # Docker volumes LVM backing volume. #controller_lvm_group_data_lv_docker_volumes: +# Podman volumes LVM backing volume. +#controller_lvm_group_data_lv_podman_volumes: + # Size of docker volumes LVM backing volume. #controller_lvm_group_data_lv_docker_volumes_size: # Filesystem for docker volumes LVM backing volume. ext4 allows for shrinking. #controller_lvm_group_data_lv_docker_volumes_fs: +# Size of podman volumes LVM backing volume. +#controller_lvm_group_data_lv_podman_volumes_size: + +# Filesystem for podman volumes LVM backing volume. ext4 allows for shrinking. +#controller_lvm_group_data_lv_podman_volumes_fs: + ############################################################################### # Controller node sysctl configuration. diff --git a/etc/kayobe/infra-vms.yml b/etc/kayobe/infra-vms.yml index 25c39f478..59147aac7 100644 --- a/etc/kayobe/infra-vms.yml +++ b/etc/kayobe/infra-vms.yml @@ -123,6 +123,12 @@ # an invalid value to require configuration. #infra_vm_lvm_group_data_disks: +# List of LVM logical volumes for the data volume group when using docker. +#infra_vm_lvm_group_data_docker_lvs: + +# List of LVM logical volumes for the data volume group when using podman. +#infra_vm_lvm_group_data_podman_lvs: + # List of LVM logical volumes for the data volume group. #infra_vm_lvm_group_data_lvs: @@ -135,6 +141,12 @@ # Filesystem for docker volumes LVM backing volume. ext4 allows for shrinking. #infra_vm_lvm_group_data_lv_docker_volumes_fs: +# Size of podman volumes LVM backing volume. +#infra_vm_lvm_group_data_lv_podman_volumes_size: + +# Filesystem for podman volumes LVM backing volume. ext4 allows for shrinking. +#infra_vm_lvm_group_data_lv_podman_volumes_fs: + ############################################################################### # Infrastructure VM node sysctl configuration. diff --git a/etc/kayobe/seed.yml b/etc/kayobe/seed.yml index 6b4eb9f9b..7a335ea2f 100644 --- a/etc/kayobe/seed.yml +++ b/etc/kayobe/seed.yml @@ -60,6 +60,12 @@ # value to require configuration. #seed_lvm_group_data_disks: +# List of LVM logical volumes for the data volume group when using docker. +#seed_lvm_group_data_docker_lvs: + +# List of LVM logical volumes for the data volume group when using podman. +#seed_lvm_group_data_podman_lvs: + # List of LVM logical volumes for the data volume group. #seed_lvm_group_data_lvs: @@ -72,6 +78,12 @@ # Filesystem for docker volumes LVM backing volume. ext4 allows for shrinking. #seed_lvm_group_data_lv_docker_volumes_fs: +# Size of podman volumes LVM backing volume. +#seed_lvm_group_data_lv_podman_volumes_size: + +# Filesystem for podman volumes LVM backing volume. ext4 allows for shrinking. +#seed_lvm_group_data_lv_podman_volumes_fs: + ############################################################################### # Seed node sysctl configuration. From 32214e2b6b14fa834e8d210763b14bae7678e771 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Sat, 24 Jan 2026 20:11:08 +0100 Subject: [PATCH 159/187] CI: Make Tenks nodes compatible with c9s IPA MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Increase the Tenks nodes to 3 GiB ram and force `cpu_mode: maximum` so the CentOS Stream IPA no longer errors with "Fatal glibc error: CPU does not support x86-64-v2", like in kolla-ansible [1]. [1] https://review.opendev.org/c/openstack/kolla-ansible/+/965244 Change-Id: If0352355db140b5c96776a9380af9afa933b9af3 Co-Authored-By: Bartosz Bezak Signed-off-by: Pierre Riteau --- ...-deploy-config-compute-libvirt-on-host.yml | 7 ++++-- dev/tenks-deploy-config-compute.yml | 7 ++++-- zuul.d/jobs.yaml | 22 +++++++++---------- zuul.d/nodesets.yaml | 18 +++++++++++++++ 4 files changed, 39 insertions(+), 15 deletions(-) diff --git a/dev/tenks-deploy-config-compute-libvirt-on-host.yml b/dev/tenks-deploy-config-compute-libvirt-on-host.yml index a6b80c104..53f53d325 100644 --- a/dev/tenks-deploy-config-compute-libvirt-on-host.yml +++ b/dev/tenks-deploy-config-compute-libvirt-on-host.yml @@ -4,7 +4,7 @@ node_types: type0: - memory_mb: 1024 + memory_mb: 3072 vcpus: 1 volumes: # There is a minimum disk space capacity requirement of 4GiB when using Ironic Python Agent: @@ -15,7 +15,10 @@ node_types: console_log_enabled: true # We seem to hit issues with missing cpu features in CI as a result of using host-model, e.g: # https://zuul.opendev.org/t/openstack/build/02c33ab51664419a88a5a54ad22852a9/log/primary/system_logs/libvirt/qemu/tk0.txt.gz#38 - cpu_mode: + # NOTE(bbezak): Force QEMU to expose x86-64‑v2 features, so the CentOS + # Stream IPA doesn't fail with "Fatal glibc error: CPU does not support + # x86-64-v2". + cpu_mode: maximum specs: - type: type0 diff --git a/dev/tenks-deploy-config-compute.yml b/dev/tenks-deploy-config-compute.yml index 984852bcb..feb46439a 100644 --- a/dev/tenks-deploy-config-compute.yml +++ b/dev/tenks-deploy-config-compute.yml @@ -4,7 +4,7 @@ node_types: type0: - memory_mb: 1024 + memory_mb: 3072 vcpus: 1 volumes: # There is a minimum disk space capacity requirement of 4GiB when using Ironic Python Agent: @@ -15,7 +15,10 @@ node_types: console_log_enabled: true # We seem to hit issues with missing cpu features in CI as a result of using host-model, e.g: # https://zuul.opendev.org/t/openstack/build/02c33ab51664419a88a5a54ad22852a9/log/primary/system_logs/libvirt/qemu/tk0.txt.gz#38 - cpu_mode: + # NOTE(bbezak): Force QEMU to expose x86-64‑v2 features, so the CentOS + # Stream IPA doesn't fail with "Fatal glibc error: CPU does not support + # x86-64-v2". + cpu_mode: maximum specs: - type: type0 diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index b917e34fd..ed98ae2dc 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -124,7 +124,7 @@ - job: name: kayobe-overcloud-centos10s parent: kayobe-overcloud-base - nodeset: kayobe-centos10s + nodeset: kayobe-centos10s-16GB voting: false - job: @@ -132,24 +132,24 @@ parent: kayobe-overcloud-base vars: kayobe_control_host_become: false - nodeset: kayobe-rocky10 + nodeset: kayobe-rocky10-16GB - job: name: kayobe-overcloud-rocky10-podman parent: kayobe-overcloud-base - nodeset: kayobe-rocky10 + nodeset: kayobe-rocky10-16GB vars: container_engine: podman - job: name: kayobe-overcloud-ubuntu-noble parent: kayobe-overcloud-base - nodeset: kayobe-ubuntu-noble + nodeset: kayobe-ubuntu-noble-16GB - job: name: kayobe-overcloud-ubuntu-noble-podman parent: kayobe-overcloud-base - nodeset: kayobe-ubuntu-noble + nodeset: kayobe-ubuntu-noble-16GB vars: container_engine: podman kayobe_control_host_become: false @@ -164,13 +164,13 @@ - job: name: kayobe-overcloud-tls-centos10s parent: kayobe-overcloud-tls-base - nodeset: kayobe-centos10s + nodeset: kayobe-centos10s-16GB voting: false - job: name: kayobe-overcloud-tls-rocky10 parent: kayobe-overcloud-tls-base - nodeset: kayobe-rocky10 + nodeset: kayobe-rocky10-16GB - job: name: kayobe-overcloud-upgrade-base @@ -187,22 +187,22 @@ - job: name: kayobe-overcloud-upgrade-rocky10 parent: kayobe-overcloud-upgrade-base - nodeset: kayobe-rocky10 + nodeset: kayobe-rocky10-16GB - job: name: kayobe-overcloud-upgrade-ubuntu-noble parent: kayobe-overcloud-upgrade-base - nodeset: kayobe-ubuntu-noble + nodeset: kayobe-ubuntu-noble-16GB - job: name: kayobe-overcloud-upgrade-slurp-rocky10 parent: kayobe-overcloud-upgrade-base - nodeset: kayobe-rocky10 + nodeset: kayobe-rocky10-16GB - job: name: kayobe-overcloud-upgrade-slurp-ubuntu-noble parent: kayobe-overcloud-upgrade-base - nodeset: kayobe-ubuntu-noble + nodeset: kayobe-ubuntu-noble-16GB - job: name: kayobe-seed-base diff --git a/zuul.d/nodesets.yaml b/zuul.d/nodesets.yaml index b7bd14d8b..32c72a536 100644 --- a/zuul.d/nodesets.yaml +++ b/zuul.d/nodesets.yaml @@ -5,14 +5,32 @@ - name: primary label: centos-10-stream-8GB +- nodeset: + name: kayobe-centos10s-16GB + nodes: + - name: primary + label: centos-10-stream-16GB + - nodeset: name: kayobe-rocky10 nodes: - name: primary label: rockylinux-10-8GB +- nodeset: + name: kayobe-rocky10-16GB + nodes: + - name: primary + label: rockylinux-10-16GB + - nodeset: name: kayobe-ubuntu-noble nodes: - name: primary label: ubuntu-noble + +- nodeset: + name: kayobe-ubuntu-noble-16GB + nodes: + - name: primary + label: ubuntu-noble-16GB From ca230c71c9642586c2aea27f70111e6888095aa4 Mon Sep 17 00:00:00 2001 From: Eric Le Lay Date: Tue, 9 Dec 2025 15:43:40 +0100 Subject: [PATCH 160/187] Add support for url sources in kolla_sources Previously the version and sha256 attributes would not be generated in kolla-build.conf, preventing the override for sources with url type. Only git and local types worked. Change-Id: I0a5100347d8755a452d2744a458b3177e41196ca Signed-off-by: Eric Le Lay --- .../kolla-build/templates/kolla/kolla-build.conf | 7 +++++++ doc/source/configuration/reference/kolla.rst | 15 ++++++++++++++- ...erride-kolla_sources-url-b268b5c87b051ea0.yaml | 7 +++++++ 3 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/override-kolla_sources-url-b268b5c87b051ea0.yaml diff --git a/ansible/roles/kolla-build/templates/kolla/kolla-build.conf b/ansible/roles/kolla-build/templates/kolla/kolla-build.conf index 4e84cec0d..78ccd60bf 100644 --- a/ansible/roles/kolla-build/templates/kolla/kolla-build.conf +++ b/ansible/roles/kolla-build/templates/kolla/kolla-build.conf @@ -40,6 +40,13 @@ location = {{ source_def.location }} # Reference of source for {{ source_name }}. reference = {{ source_def.reference }} {% endif %} +{% if source_def.sha256 is defined %} +{# generates sha256 = amd64:xxx,arm64:yyy #} +sha256 = {{ source_def.sha256.keys() | zip (source_def.sha256.values()) | map("join", ":") | join(",") }} +{% endif %} +{% if source_def.version is defined %} +version = {{ source_def.version }} +{% endif %} {% endfor %} diff --git a/doc/source/configuration/reference/kolla.rst b/doc/source/configuration/reference/kolla.rst index b920944eb..3a03dfb94 100644 --- a/doc/source/configuration/reference/kolla.rst +++ b/doc/source/configuration/reference/kolla.rst @@ -247,7 +247,7 @@ default is to specify the URL and version of Bifrost, as defined in ``${KAYOBE_CONFIG_PATH}/bifrost.yml``. For example, to specify a custom source location for the ``ironic-base`` -package: +package and a custom version of cadvisor: .. code-block:: yaml :caption: ``kolla.yml`` @@ -261,6 +261,11 @@ package: type: "git" location: https://git.example.com/ironic reference: downstream + prometheus-cadvisor: + version: "0.54.1" + sha256: + amd64: xxxx + arm64: yyyy This will result in Kayobe adding the following configuration to ``kolla-build.conf``: @@ -278,9 +283,17 @@ This will result in Kayobe adding the following configuration to location = https://git.example.com/ironic reference = downstream + [prometheus-cadvisor] + version = 0.54.1 + sha256 = amd64:xxxx,arm64:yyyy + Note that it is currently necessary to include the Bifrost source location if using a seed. +Note that it is not necessary to specify the prometheus-cadvisor ``type: url`` +and ``location: https://github.com/...`` because they are inherited from kolla +(``kolla/common/sources.py``). + Plugins & additions ------------------- diff --git a/releasenotes/notes/override-kolla_sources-url-b268b5c87b051ea0.yaml b/releasenotes/notes/override-kolla_sources-url-b268b5c87b051ea0.yaml new file mode 100644 index 000000000..e3cd87cd7 --- /dev/null +++ b/releasenotes/notes/override-kolla_sources-url-b268b5c87b051ea0.yaml @@ -0,0 +1,7 @@ +--- +feature: + - | + Adds support for ``url`` sources in ``kolla_sources``. Previously the + ``version`` and ``sha256`` attributes would not be generated in + ``kolla-build.conf``, preventing the override for sources with ``url`` + type. Only ``git`` and ``local`` types worked. From 0788c6ded5ccac152859bb16b1866c6c269bcba4 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Tue, 27 Jan 2026 10:53:02 +0100 Subject: [PATCH 161/187] CI: Add missing job to experimental queue Change-Id: Ied850ade925dbc35f0150a9ced77879d1a2a796d Signed-off-by: Pierre Riteau --- zuul.d/project.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 37f0d0b23..37fe7338e 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -77,6 +77,7 @@ - kayobe-infra-vm-rocky10-cloud-image - kayobe-infra-vm-ubuntu-noble-cloud-image - kayobe-overcloud-centos10s + - kayobe-overcloud-host-configure-centos10s - kayobe-overcloud-tls-centos10s - kayobe-seed-centos10s - kayobe-seed-images-centos10s From 16f7e2e14be59d32bd2ad39175ac92e8ac824d0c Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Tue, 27 Jan 2026 22:59:14 +0100 Subject: [PATCH 162/187] CI: Enable baremetal inspection testing Change-Id: I9395aa664a24f31d90e2d09f4191f904b437c840 Signed-off-by: Pierre Riteau --- playbooks/kayobe-overcloud-base/run.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/kayobe-overcloud-base/run.yml b/playbooks/kayobe-overcloud-base/run.yml index 3fa4fdaee..e5c617bc8 100644 --- a/playbooks/kayobe-overcloud-base/run.yml +++ b/playbooks/kayobe-overcloud-base/run.yml @@ -42,7 +42,7 @@ chdir: "{{ kayobe_src_dir }}" executable: /bin/bash # TODO(priteau): Fix baremetal inspect issues with UEFI - when: ironic_boot_mode == 'bios' and false # TODO(priteau): Re-enable when working + when: ironic_boot_mode == 'bios' - name: Perform testing of the baremetal machines shell: From f1cea2ba29ded2ef389c3614fe5257dd02bb6e34 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Mon, 15 Dec 2025 11:31:47 +0000 Subject: [PATCH 163/187] Remove undocumented playbook for creating external network This is not referenced in the documentation and is not used by any Kayobe commands. It is also likely to be broken as it needs refactoring to properly support the stackhpc.os-networks role. An attempt was made to do this previously[1], but the variables in the refactoring do not exist in the new role. This wasn't caught at the time as it is unused in the CI. These days we prefer to manage the networks in a separate repository using either Ansible or OpenTofu. [1] https://github.com/openstack/kayobe/commit/619ad3ebc83811af640d4f6d4294b428946d4bd1 Change-Id: Ie3b618471e8ed91b202867972897e364805d336e Signed-off-by: Will Szumski --- ansible/external-net.yml | 25 ------------------------- 1 file changed, 25 deletions(-) delete mode 100644 ansible/external-net.yml diff --git a/ansible/external-net.yml b/ansible/external-net.yml deleted file mode 100644 index e3e7a89fd..000000000 --- a/ansible/external-net.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -- name: Ensure external network and subnet are registered in neutron - # Only required to run on a single host. - hosts: controllers[0] - roles: - - role: stackhpc.openstack.os_networks - os_openstacksdk_install_epel: "{{ dnf_install_epel }}" - os_openstacksdk_upper_constraints_file: "{{ openstacksdk_upper_constraints_file }}" - os_networks_venv: "{{ virtualenv_path }}/openstacksdk" - os_networks_openstack_auth_type: "{{ openstack_auth_type }}" - os_networks_openstack_auth: "{{ openstack_auth }}" - # Network configuration. - os_networks_name: "{{ item }}" - os_networks_type: "{% if item | net_vlan %}vlan{% else %}flat{% endif %}" - os_networks_physical_network: "physnet1" - os_networks_segmentation_id: "{{ item | net_vlan }}" - os_networks_shared: True - os_networks_external: True - # Subnet configuration. - os_networks_subnet_name: "{{ item }}" - os_networks_cidr: "{{ item | net_cidr }}" - os_networks_gateway_ip: "{{ item | net_gateway }}" - os_networks_allocation_pool_start: "{{ item | net_neutron_allocation_pool_start }}" - os_networks_allocation_pool_end: "{{ item | net_neutron_allocation_pool_end }}" - with_items: "{{ external_net_names }}" From 7b11017c732c8aa233bb72ad71fc646a3e806f2c Mon Sep 17 00:00:00 2001 From: Grzegorz Koper Date: Tue, 27 Jan 2026 12:28:35 +0100 Subject: [PATCH 164/187] Changed the way bashate is executed to exclude local dev artifacts. Closes-bug: #2139142 Change-Id: I65d60fe49bbc7c0fb7472d065040d7f446258705 Signed-off-by: Grzegorz Koper --- tools/run-bashate.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tools/run-bashate.sh b/tools/run-bashate.sh index 2b5b514cf..dd35ba737 100755 --- a/tools/run-bashate.sh +++ b/tools/run-bashate.sh @@ -6,4 +6,6 @@ ROOT=$(readlink -fn $(dirname $0)/.. ) # NOTE(priteau): ignore E010 because it fails on one-liner bash loops: # https://bugs.launchpad.net/bash8/+bug/1895102 find $ROOT -not -wholename \*.tox/\* -and -not -wholename \*.test/\* \ + -and -not -wholename \*.ansible/\* -and -not -wholename \*venv\* \ + -and -not -wholename \*/ansible/roles/\*.\*/\* \ -and -name \*.sh -print0 | xargs -0 bashate -v --ignore E006,E010 From 839742602aad94faf2d3903f6f8628ca25205ed9 Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Fri, 25 Oct 2024 17:54:12 +0200 Subject: [PATCH 165/187] CI: Add bandit testing Only report on high-severity issues for now before including more issues in the future. Signed-off-by: Michal Nasiadka Change-Id: Iaf60f08bfb802efd022f8658f1d757b44d9419c2 --- .../tests/unit/plugins/action/test_kolla_ansible_host_vars.py | 3 ++- test-requirements.txt | 1 + tox.ini | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/kayobe/tests/unit/plugins/action/test_kolla_ansible_host_vars.py b/kayobe/tests/unit/plugins/action/test_kolla_ansible_host_vars.py index 3ae00e1a9..480a5cf2a 100644 --- a/kayobe/tests/unit/plugins/action/test_kolla_ansible_host_vars.py +++ b/kayobe/tests/unit/plugins/action/test_kolla_ansible_host_vars.py @@ -50,7 +50,8 @@ class FakeTemplar(object): def __init__(self, variables): self.variables = variables - self.env = jinja2.Environment() + # Bandit complains about Jinja2 autoescaping without nosec. + self.env = jinja2.Environment() # nosec self.env.filters['net_interface'] = _net_interface self.env.filters['net_parent'] = _net_parent self.env.filters['net_vlan'] = _net_vlan diff --git a/test-requirements.txt b/test-requirements.txt index 6295d47fd..f5270c8d3 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -3,6 +3,7 @@ # process, which may cause wedges in the gate later. ansible-lint>=25.0.0,<26.0.0 # MIT +bandit>=1.1.0 # Apache-2.0 bashate>=0.2 # Apache-2.0 coverage>=4.0 # Apache-2.0 doc8 # Apache-2.0 diff --git a/tox.ini b/tox.ini index a8ea73ca1..de8c0fa6b 100644 --- a/tox.ini +++ b/tox.ini @@ -39,6 +39,7 @@ commands = # directives. python3 {toxinidir}/tools/sphinx8 README.rst CONTRIBUTING.rst doc/source --ignore D001 yamllint etc/kayobe + bandit -r --severity-level=high ansible kayobe tools [testenv:venv] deps = From 0115b6ea5efa9a8ee0583b50f948ee1758960a67 Mon Sep 17 00:00:00 2001 From: Matt Crees Date: Mon, 2 Feb 2026 09:53:30 +0000 Subject: [PATCH 166/187] Bump stackhpc.linux collection to v1.5.1 Fixes race conditions in setup of vGPU SR-IOV devices. Adds support for configuring MIG devices without creating vGPUs. Change-Id: Ida4b38b98ab1140d44941355bc7ff991b0b5aa47 Signed-off-by: Matt Crees --- .../bump-stackhpc-linux-v1.5.1-c002b7c99921cd20.yaml | 9 +++++++++ requirements.yml | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/bump-stackhpc-linux-v1.5.1-c002b7c99921cd20.yaml diff --git a/releasenotes/notes/bump-stackhpc-linux-v1.5.1-c002b7c99921cd20.yaml b/releasenotes/notes/bump-stackhpc-linux-v1.5.1-c002b7c99921cd20.yaml new file mode 100644 index 000000000..a15eb2584 --- /dev/null +++ b/releasenotes/notes/bump-stackhpc-linux-v1.5.1-c002b7c99921cd20.yaml @@ -0,0 +1,9 @@ +--- +features: + - | + Bumps ``stackhpc.linux`` Ansible collection to v1.5.1. This adds + support for configuring MIG devices without creating vGPUs. +fixes: + - | + Bumps ``stackhpc.linux`` Ansible collection to v1.5.1. This fixes + race conditions in setup of vGPU SR-IOV devices. diff --git a/requirements.yml b/requirements.yml index a52a64662..861b53393 100644 --- a/requirements.yml +++ b/requirements.yml @@ -18,7 +18,7 @@ collections: - name: openstack.cloud version: '<3' - name: stackhpc.linux - version: 1.3.4 + version: 1.5.1 - name: stackhpc.network version: 1.0.0 - name: stackhpc.openstack From 06c025e7f4688c5f59b035948978b12d0f9f862b Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 6 Feb 2026 22:14:47 +0100 Subject: [PATCH 167/187] Remove compatibility with Ansible 11 Change-Id: Ic5094dbc2223a46638582be1159e37d404c6d5fb Signed-off-by: Pierre Riteau --- kayobe/ansible.py | 9 +-------- kayobe/tests/unit/test_utils.py | 10 +--------- 2 files changed, 2 insertions(+), 17 deletions(-) diff --git a/kayobe/ansible.py b/kayobe/ansible.py index f6cf8dbb0..caa6df7b1 100644 --- a/kayobe/ansible.py +++ b/kayobe/ansible.py @@ -21,14 +21,7 @@ import sys import tempfile -# TODO(dougszu): Backwards compatibility for Ansible 11. This exception -# handler can be removed in the G cycle. -try: - from ansible.parsing.vault import EncryptedString -except ImportError: - # Ansible 11 - from ansible.parsing.yaml.objects import AnsibleVaultEncryptedUnicode - EncryptedString = AnsibleVaultEncryptedUnicode +from ansible.parsing.vault import EncryptedString from kayobe import exception from kayobe import utils diff --git a/kayobe/tests/unit/test_utils.py b/kayobe/tests/unit/test_utils.py index fc975c221..736678e9f 100644 --- a/kayobe/tests/unit/test_utils.py +++ b/kayobe/tests/unit/test_utils.py @@ -18,15 +18,7 @@ import unittest from unittest import mock -# TODO(dougszu): Backwards compatibility for Ansible 11. This exception -# handler can be removed in the G cycle. -try: - from ansible.parsing.vault import EncryptedString -except ImportError: - # Ansible 11 - from ansible.parsing.yaml.objects import AnsibleVaultEncryptedUnicode - EncryptedString = AnsibleVaultEncryptedUnicode - +from ansible.parsing.vault import EncryptedString import yaml from kayobe import exception From 981d63926c421a5a39bc2cf16394a5b668b94aba Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Sat, 7 Feb 2026 22:43:41 +0100 Subject: [PATCH 168/187] Split Python installation from user bootstrap The check for the absence of the Python interpreter cannot run with ansible_python_interpreter set to /usr/bin/python3. Change-Id: Ibab43c633cf718664e144470e944ef24425695fe Signed-off-by: Pierre Riteau --- ansible/kayobe-ansible-user.yml | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/ansible/kayobe-ansible-user.yml b/ansible/kayobe-ansible-user.yml index c54aa703f..16e3e9851 100644 --- a/ansible/kayobe-ansible-user.yml +++ b/ansible/kayobe-ansible-user.yml @@ -36,8 +36,8 @@ attempting bootstrap when: ssh_result.unreachable | default(false) -- name: Ensure python is installed and the Kayobe Ansible user account exists - hosts: kayobe_user_bootstrap_required_True +- name: Ensure Python is installed + hosts: seed-hypervisor:seed:overcloud:infra-vms gather_facts: no max_fail_percentage: >- {{ kayobe_ansible_user_max_fail_percentage | @@ -46,14 +46,10 @@ default(100) }} vars: ansible_user: "{{ bootstrap_user }}" - # We can't assume that a virtualenv exists at this point, so use the system - # python interpreter. - ansible_python_interpreter: /usr/bin/python3 dnf_options: - "-y" - "{% if 'proxy' in dnf_config %}--setopt=proxy={{ dnf_config['proxy'] }}{% endif %}" tags: - - kayobe-ansible-user - ensure-python tasks: - name: Check if python is installed @@ -67,6 +63,22 @@ raw: "test -e /usr/bin/apt && (sudo apt -y update && sudo apt install -y python3-minimal) || (sudo dnf {{ dnf_options | select | join(' ') }} install python3)" when: check_python.rc != 0 +- name: Ensure the Kayobe Ansible user account exists + hosts: kayobe_user_bootstrap_required_True + gather_facts: no + max_fail_percentage: >- + {{ kayobe_ansible_user_max_fail_percentage | + default(host_configure_max_fail_percentage) | + default(kayobe_max_fail_percentage) | + default(100) }} + vars: + ansible_user: "{{ bootstrap_user }}" + # We can't assume that a virtualenv exists at this point, so use the system + # python interpreter. + ansible_python_interpreter: /usr/bin/python3 + tags: + - kayobe-ansible-user + tasks: - import_role: name: singleplatform-eng.users vars: From fbac01d6977673e6198edce78b917acf66ce65c4 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Wed, 11 Feb 2026 16:09:47 +0000 Subject: [PATCH 169/187] Stop using reserved variable: gather_facts Causes the following warning to be displayed: [WARNING]: Found variable using reserved name 'gather_facts'. Also updates conditional inline for broken conditionals check[1]. [1] https://docs.ansible.com/projects/ansible/latest/porting_guides/porting_guide_12.html#broken-conditionals TrivialFix Change-Id: I7b25690d2fe9052852505a08d5c249d0b938c36c Signed-off-by: Will Szumski --- ansible/kayobe-target-venv.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ansible/kayobe-target-venv.yml b/ansible/kayobe-target-venv.yml index 11d7a8938..5074ccb47 100644 --- a/ansible/kayobe-target-venv.yml +++ b/ansible/kayobe-target-venv.yml @@ -26,9 +26,9 @@ filter: "{{ kayobe_ansible_setup_filter }}" gather_subset: "{{ kayobe_ansible_setup_gather_subset }}" when: - - ansible_facts is undefined or not ansible_facts + - ansible_facts is undefined or ansible_facts is falsy - kayobe_virtualenv is defined - register: gather_facts + register: gather_facts_result # Before any facts are gathered, ansible doesn't know about # python virtualenv. # Use default python3 to be safe for this task. @@ -104,7 +104,7 @@ gather_subset: "{{ kayobe_ansible_setup_gather_subset }}" when: - kayobe_virtualenv is defined - - gather_facts is not skipped + - gather_facts_result is not skipped - lookup('config', 'DEFAULT_GATHERING') != 'implicit' - block: From a5b72b0b4714ed670a4104de3439421e6f5a5d78 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 12 Feb 2026 11:08:32 +0100 Subject: [PATCH 170/187] Bump all Ansible collections and roles Change-Id: I3c793f1f63d5d220efd967dcea17beff4f861644 Signed-off-by: Pierre Riteau --- requirements.yml | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/requirements.yml b/requirements.yml index 861b53393..e0aa67977 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ collections: type: git version: master - name: community.docker - version: 3.11.0 + version: 5.0.5 - name: community.network version: 5.1.0 - name: dellemc.os6 @@ -22,37 +22,36 @@ collections: - name: stackhpc.network version: 1.0.0 - name: stackhpc.openstack - version: 0.6.0 + version: 0.9.0 roles: - src: ahuffman.resolv - version: 1.3.1 + version: 1.3.2 - src: giovtorres.tuned - version: 1.2.0 + version: 2.0.2 - src: git+https://github.com/stackhpc/ansible-role-configdrive.git name: jriguera.configdrive version: fb199247333e72e38a9d414cf7b6144daa645477 - src: MichaelRigart.interfaces - version: v1.15.6 + version: v1.16.1 - src: mrlesmithjr.chrony version: v0.1.6 - src: mrlesmithjr.manage_lvm - version: v0.2.8 + version: v0.2.13 - src: mrlesmithjr.mdadm - version: v0.1.1 + version: v0.1.9 - src: singleplatform-eng.users - version: v1.2.5 + version: v1.2.6 - src: stackhpc.drac version: 1.1.6 - src: stackhpc.drac-facts - version: 1.0.0 - - src: git+https://github.com/stackhpc/ansible-role-libvirt-host.git - name: stackhpc.libvirt-host - version: 9a947f74abdcd2e0d4e3371162f8299aef259271 + version: v1.0.1 + - src: stackhpc.libvirt-host + version: v1.15.0 - src: stackhpc.libvirt-vm version: v1.16.3 - src: stackhpc.luks - version: 0.4.2 + version: 0.4.4 - src: stackhpc.os-ironic-state version: v1.3.1 - src: stackhpc.timezone From f29b3422ce0081c7eff6a19496918adc152efd47 Mon Sep 17 00:00:00 2001 From: Grzegorz Koper Date: Wed, 11 Feb 2026 10:10:24 +0100 Subject: [PATCH 171/187] Exclude local artifacts from ansible-lint Match recent bashate cleanup by excluding local artifact paths from the tox linters ansible-lint run. Skip .ansible, ansible/collections and dotted Galaxy role directories under ansible/roles/*.* so external downloaded collections and roles are not linted. Closes-Bug: #2141527 Change-Id: If0eee54d7ade3d85ab5b999b32a216d8ea3a91b9 Signed-off-by: Grzegorz Koper --- tox.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tox.ini b/tox.ini index de8c0fa6b..ed74876cd 100644 --- a/tox.ini +++ b/tox.ini @@ -92,7 +92,7 @@ commands = setenv = {[testenv:linters]setenv} deps = {[testenv:linters]deps} commands = - ansible-lint -p --exclude etc --exclude kayobe/plugins --exclude playbooks --exclude releasenotes --exclude roles --exclude zuul.d --exclude ansible/idrac-bootstrap.yml + ansible-lint -p --exclude etc --exclude kayobe/plugins --exclude playbooks --exclude releasenotes --exclude roles --exclude zuul.d --exclude ansible/idrac-bootstrap.yml --exclude .ansible --exclude ansible/roles/*.* --exclude ansible/collections [testenv:ansible-syntax] commands = From 8b36acddab1fc16c35ef86852c6a816da3617546 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Tue, 17 Feb 2026 21:50:32 +0100 Subject: [PATCH 172/187] Support Python installation through Apt proxy Change-Id: Ib2f9c10433c42f783e1d5f618291ba5cb7be1641 Signed-off-by: Pierre Riteau --- ansible/kayobe-ansible-user.yml | 9 ++++++--- .../notes/bootstrap-apt-proxy-bb121cf577eaeba4.yaml | 4 ++++ 2 files changed, 10 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/bootstrap-apt-proxy-bb121cf577eaeba4.yaml diff --git a/ansible/kayobe-ansible-user.yml b/ansible/kayobe-ansible-user.yml index 16e3e9851..bcf170621 100644 --- a/ansible/kayobe-ansible-user.yml +++ b/ansible/kayobe-ansible-user.yml @@ -46,6 +46,10 @@ default(100) }} vars: ansible_user: "{{ bootstrap_user }}" + apt_options: + - "-y" + - "{% if apt_proxy_http %}-o Acquire::http::proxy='{{ apt_proxy_http }}'{% endif %}" + - "{% if apt_proxy_https %}-o Acquire::https::proxy='{{ apt_proxy_https }}'{% endif %}" dnf_options: - "-y" - "{% if 'proxy' in dnf_config %}--setopt=proxy={{ dnf_config['proxy'] }}{% endif %}" @@ -58,9 +62,8 @@ failed_when: false register: check_python - # TODO(priteau): Support apt proxy - - name: Ensure python is installed - raw: "test -e /usr/bin/apt && (sudo apt -y update && sudo apt install -y python3-minimal) || (sudo dnf {{ dnf_options | select | join(' ') }} install python3)" + - name: Ensure Python is installed + raw: "(test -e /usr/bin/apt && sudo apt {{ apt_options | select | join(' ') }} update && sudo apt install {{ apt_options | select | join(' ') }} python3-minimal) || (test -e /usr/bin/dnf && sudo dnf {{ dnf_options | select | join(' ') }} install python3)" when: check_python.rc != 0 - name: Ensure the Kayobe Ansible user account exists diff --git a/releasenotes/notes/bootstrap-apt-proxy-bb121cf577eaeba4.yaml b/releasenotes/notes/bootstrap-apt-proxy-bb121cf577eaeba4.yaml new file mode 100644 index 000000000..5ed203141 --- /dev/null +++ b/releasenotes/notes/bootstrap-apt-proxy-bb121cf577eaeba4.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + Adds support for bootstrapping Python on Ubuntu through a proxy. From f5ca1646b571812b4a01f50087cee840c8567e6b Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Fri, 14 Jun 2024 15:12:09 +0100 Subject: [PATCH 173/187] Support Ansible control host configuration Adds support for managing the Ansible control host configuration. This is provided by the new `kayobe control host configure` command, and uses the existing host configuration features in Kayobe. Also provided is a `kayobe control host command run` command for running commands on the Ansible control host, and a `kayobe control host package update` command for updating its OS packages. Co-Authored-By: Leonie Chamberlin-Medd Change-Id: Idde1272da3f17c4a09e77c98c3570a7bbc8d326b Signed-off-by: Pierre Riteau Signed-off-by: Leonie Chamberlin-Medd --- ansible/apt.yml | 2 +- ansible/container-engine.yml | 4 +- ansible/control-host-configure.yml | 23 +++ ansible/dev-tools.yml | 2 +- ansible/dnf.yml | 2 +- ansible/firewall.yml | 2 +- ansible/host-command-run.yml | 2 +- ansible/host-package-update.yml | 2 +- .../inventory/group_vars/all/ansible-control | 139 ++++++++++++++++++ .../group_vars/ansible-control/ansible-host | 3 + .../group_vars/ansible-control/ansible-user | 7 + .../ansible-control/container-engine | 5 + .../group_vars/ansible-control/firewall | 21 +++ .../inventory/group_vars/ansible-control/luks | 6 + .../inventory/group_vars/ansible-control/lvm | 6 + .../group_vars/ansible-control/mdadm | 6 + .../group_vars/ansible-control/network | 6 + .../inventory/group_vars/ansible-control/swap | 6 + .../group_vars/ansible-control/sysctl | 3 + .../group_vars/ansible-control/tuned | 7 + .../group_vars/ansible-control/users | 4 + ansible/ip-allocation.yml | 2 +- ansible/kayobe-ansible-user.yml | 6 +- ansible/kayobe-target-venv.yml | 2 +- ansible/logging.yml | 2 +- ansible/luks.yml | 2 +- ansible/lvm.yml | 2 +- ansible/mdadm.yml | 2 +- ansible/network-connectivity.yml | 2 +- ansible/network.yml | 2 +- ansible/pip.yml | 2 +- ansible/proxy.yml | 2 +- ansible/selinux.yml | 2 +- ansible/swap.yml | 2 +- ansible/sysctl.yml | 2 +- ansible/time.yml | 2 +- ansible/tuned.yml | 2 +- ansible/users.yml | 2 +- ansible/wipe-disks.yml | 2 +- dev/ansible-control-host-configure.sh | 18 +++ dev/functions | 10 ++ doc/source/administration/ansible-control.rst | 59 ++++++++ doc/source/administration/index.rst | 1 + doc/source/configuration/reference/hosts.rst | 41 ++++++ .../configuration/reference/network.rst | 13 ++ doc/source/deployment.rst | 29 ++++ etc/kayobe/ansible-control.yml | 124 ++++++++++++++++ .../ansible-python-interpreter | 3 + .../ansible-control/network-interfaces | 20 +++ etc/kayobe/inventory/groups | 8 + kayobe/cli/commands.py | 100 +++++++++++++ kayobe/tests/unit/cli/test_commands.py | 107 ++++++++++++++ ...ntrol-host-configure-ca4bb8c4de59c370.yaml | 10 ++ setup.cfg | 9 ++ 54 files changed, 822 insertions(+), 28 deletions(-) create mode 100644 ansible/control-host-configure.yml create mode 100644 ansible/inventory/group_vars/all/ansible-control create mode 100644 ansible/inventory/group_vars/ansible-control/ansible-host create mode 100644 ansible/inventory/group_vars/ansible-control/ansible-user create mode 100644 ansible/inventory/group_vars/ansible-control/container-engine create mode 100644 ansible/inventory/group_vars/ansible-control/firewall create mode 100644 ansible/inventory/group_vars/ansible-control/luks create mode 100644 ansible/inventory/group_vars/ansible-control/lvm create mode 100644 ansible/inventory/group_vars/ansible-control/mdadm create mode 100644 ansible/inventory/group_vars/ansible-control/network create mode 100644 ansible/inventory/group_vars/ansible-control/swap create mode 100644 ansible/inventory/group_vars/ansible-control/sysctl create mode 100644 ansible/inventory/group_vars/ansible-control/tuned create mode 100644 ansible/inventory/group_vars/ansible-control/users create mode 100755 dev/ansible-control-host-configure.sh create mode 100644 doc/source/administration/ansible-control.rst create mode 100644 etc/kayobe/ansible-control.yml create mode 100644 etc/kayobe/inventory/group_vars/ansible-control/ansible-python-interpreter create mode 100644 etc/kayobe/inventory/group_vars/ansible-control/network-interfaces create mode 100644 releasenotes/notes/control-host-configure-ca4bb8c4de59c370.yaml diff --git a/ansible/apt.yml b/ansible/apt.yml index 633454563..1dabb4038 100644 --- a/ansible/apt.yml +++ b/ansible/apt.yml @@ -1,6 +1,6 @@ --- - name: Ensure APT is configured - hosts: seed-hypervisor:seed:overcloud:infra-vms + hosts: seed-hypervisor:seed:overcloud:infra-vms:ansible-control max_fail_percentage: >- {{ apt_max_fail_percentage | default(host_configure_max_fail_percentage) | diff --git a/ansible/container-engine.yml b/ansible/container-engine.yml index 988bed210..7e6b30a23 100644 --- a/ansible/container-engine.yml +++ b/ansible/container-engine.yml @@ -19,7 +19,7 @@ docker_http_proxy: "{{ kolla_http_proxy }}" docker_https_proxy: "{{ kolla_https_proxy }}" docker_no_proxy: "{{ kolla_no_proxy | select | join(',') }}" - when: container_engine == "docker" + when: container_engine_enabled | default(true) | bool and container_engine == "docker" - name: Ensure podman is configured hosts: container-engine @@ -34,4 +34,4 @@ tasks: - include_role: name: openstack.kolla.podman - when: container_engine == "podman" + when: container_engine_enabled | default(true) | bool and container_engine == "podman" diff --git a/ansible/control-host-configure.yml b/ansible/control-host-configure.yml new file mode 100644 index 000000000..996da2c68 --- /dev/null +++ b/ansible/control-host-configure.yml @@ -0,0 +1,23 @@ +--- +- import_playbook: "ssh-known-host.yml" +- import_playbook: "kayobe-ansible-user.yml" +- import_playbook: "logging.yml" +- import_playbook: "proxy.yml" +- import_playbook: "apt.yml" +- import_playbook: "dnf.yml" +- import_playbook: "pip.yml" +- import_playbook: "kayobe-target-venv.yml" +- import_playbook: "wipe-disks.yml" +- import_playbook: "users.yml" +- import_playbook: "dev-tools.yml" +- import_playbook: "selinux.yml" +- import_playbook: "network.yml" +- import_playbook: "firewall.yml" +- import_playbook: "tuned.yml" +- import_playbook: "sysctl.yml" +- import_playbook: "time.yml" +- import_playbook: "mdadm.yml" +- import_playbook: "luks.yml" +- import_playbook: "lvm.yml" +- import_playbook: "swap.yml" +- import_playbook: "container-engine.yml" diff --git a/ansible/dev-tools.yml b/ansible/dev-tools.yml index 5f6f3ed32..228d1643c 100644 --- a/ansible/dev-tools.yml +++ b/ansible/dev-tools.yml @@ -1,6 +1,6 @@ --- - name: Ensure development tools are installed - hosts: seed-hypervisor:seed:overcloud:infra-vms + hosts: seed-hypervisor:seed:overcloud:infra-vms:ansible-control max_fail_percentage: >- {{ dev_tools_max_fail_percentage | default(host_configure_max_fail_percentage) | diff --git a/ansible/dnf.yml b/ansible/dnf.yml index 73999b911..3aa99c486 100644 --- a/ansible/dnf.yml +++ b/ansible/dnf.yml @@ -1,6 +1,6 @@ --- - name: Ensure DNF repos are configured - hosts: seed-hypervisor:seed:overcloud:infra-vms + hosts: seed-hypervisor:seed:overcloud:infra-vms:ansible-control max_fail_percentage: >- {{ dnf_max_fail_percentage | default(host_configure_max_fail_percentage) | diff --git a/ansible/firewall.yml b/ansible/firewall.yml index 8455d05f2..066b2d82c 100644 --- a/ansible/firewall.yml +++ b/ansible/firewall.yml @@ -1,6 +1,6 @@ --- - name: Ensure firewall is configured - hosts: seed-hypervisor:seed:overcloud:infra-vms + hosts: seed-hypervisor:seed:overcloud:infra-vms:ansible-control max_fail_percentage: >- {{ firewall_max_fail_percentage | default(host_configure_max_fail_percentage) | diff --git a/ansible/host-command-run.yml b/ansible/host-command-run.yml index ba5497db6..258994aa7 100644 --- a/ansible/host-command-run.yml +++ b/ansible/host-command-run.yml @@ -1,6 +1,6 @@ --- - name: Run a command - hosts: seed-hypervisor:seed:overcloud:infra-vms + hosts: seed-hypervisor:seed:overcloud:infra-vms:ansible-control gather_facts: False max_fail_percentage: >- {{ host_command_run_max_fail_percentage | diff --git a/ansible/host-package-update.yml b/ansible/host-package-update.yml index 94b014ba1..77be7c722 100644 --- a/ansible/host-package-update.yml +++ b/ansible/host-package-update.yml @@ -1,6 +1,6 @@ --- - name: Update host packages - hosts: seed-hypervisor:seed:overcloud:infra-vms + hosts: seed-hypervisor:seed:overcloud:infra-vms:ansible-control max_fail_percentage: >- {{ host_package_update_max_fail_percentage | default(kayobe_max_fail_percentage) | diff --git a/ansible/inventory/group_vars/all/ansible-control b/ansible/inventory/group_vars/all/ansible-control new file mode 100644 index 000000000..0f9f555c0 --- /dev/null +++ b/ansible/inventory/group_vars/all/ansible-control @@ -0,0 +1,139 @@ +--- +############################################################################### +# Ansible control host configuration. + +# User with which to access the Ansible control host via SSH during bootstrap, +# in order to setup the Kayobe user account. Default is {{ os_distribution }}. +ansible_control_bootstrap_user: "{{ os_distribution }}" + +############################################################################### +# Ansible control host network interface configuration. + +# List of networks to which Ansible control host are attached. +ansible_control_network_interfaces: > + {{ (ansible_control_default_network_interfaces + + ansible_control_extra_network_interfaces) | select | unique | list }} + +# List of default networks to which Ansible control host are attached. +ansible_control_default_network_interfaces: > + {{ [admin_oc_net_name] | select | unique | list }} + +# List of extra networks to which Ansible control host are attached. +ansible_control_extra_network_interfaces: [] + +############################################################################### +# Ansible control host software RAID configuration. + +# List of software RAID arrays. See mrlesmithjr.mdadm role for format. +ansible_control_mdadm_arrays: [] + +############################################################################### +# Ansible control host encryption configuration. + +# List of block devices to encrypt. See stackhpc.luks role for format. +ansible_control_luks_devices: [] + +############################################################################### +# Ansible control host LVM configuration. + +# List of Ansible control host volume groups. See mrlesmithjr.manage_lvm role +# for format. +ansible_control_lvm_groups: "{{ ansible_control_lvm_groups_default + ansible_control_lvm_groups_extra }}" + +# Default list of Ansible control host volume groups. See +# mrlesmithjr.manage_lvm role for format. +ansible_control_lvm_groups_default: "{{ [ansible_control_lvm_group_data] if ansible_control_lvm_group_data_enabled | bool else [] }}" + +# Additional list of Ansible control host volume groups. See +# mrlesmithjr.manage_lvm role for format. +ansible_control_lvm_groups_extra: [] + +# Whether a 'data' LVM volume group should exist on the Ansible control host. +# By default this contains a 'docker-volumes' logical volume for Docker volume +# storage. Default is false. +ansible_control_lvm_group_data_enabled: false + +# Ansible control host LVM volume group for data. See mrlesmithjr.manage_lvm +# role for format. +ansible_control_lvm_group_data: + vgname: data + disks: "{{ ansible_control_lvm_group_data_disks }}" + create: True + lvnames: "{{ ansible_control_lvm_group_data_lvs }}" + +# List of disks for use by Ansible control host LVM data volume group. Default +# to an invalid value to require configuration. +ansible_control_lvm_group_data_disks: + - changeme + +# List of LVM logical volumes for the data volume group. +ansible_control_lvm_group_data_lvs: + - "{{ ansible_control_lvm_group_data_lv_docker_volumes }}" + +# Docker volumes LVM backing volume. +ansible_control_lvm_group_data_lv_docker_volumes: + lvname: docker-volumes + size: "{{ ansible_control_lvm_group_data_lv_docker_volumes_size }}" + create: True + filesystem: "{{ ansible_control_lvm_group_data_lv_docker_volumes_fs }}" + mount: True + mntp: /var/lib/docker/volumes + +# Size of docker volumes LVM backing volume. +ansible_control_lvm_group_data_lv_docker_volumes_size: 75%VG + +# Filesystem for docker volumes LVM backing volume. ext4 allows for shrinking. +ansible_control_lvm_group_data_lv_docker_volumes_fs: ext4 + +############################################################################### +# Ansible control host sysctl configuration. + +# Dict of sysctl parameters to set. +ansible_control_sysctl_parameters: {} + +############################################################################### +# Ansible control host tuned configuration. + +# Builtin tuned profile to use. Format is same as that used by giovtorres.tuned +# role. Default is throughput-performance. +ansible_control_tuned_active_builtin_profile: "throughput-performance" + +############################################################################### +# Ansible control host user configuration. + +# List of users to create. This should be in a format accepted by the +# singleplatform-eng.users role. +ansible_control_users: "{{ users_default }}" + +############################################################################### +# Ansible control host firewalld configuration. + +# Whether to install and enable firewalld. +ansible_control_firewalld_enabled: false + +# A list of zones to create. Each item is a dict containing a 'zone' item. +ansible_control_firewalld_zones: [] + +# A firewalld zone to set as the default. Default is unset, in which case the +# default zone will not be changed. +ansible_control_firewalld_default_zone: + +# A list of firewall rules to apply. Each item is a dict containing arguments +# to pass to the firewalld module. Arguments are omitted if not provided, with +# the following exceptions: +# - offline: true +# - permanent: true +# - state: enabled +ansible_control_firewalld_rules: [] + +############################################################################### +# Ansible control host swap configuration. + +# List of swap devices. Each item is a dict containing a 'device' item. +ansible_control_swap: [] + +############################################################################### +# Ansible control host container engine configuration. + +# Whether a container engine should be configured. Default is false. +ansible_control_container_engine_enabled: false diff --git a/ansible/inventory/group_vars/ansible-control/ansible-host b/ansible/inventory/group_vars/ansible-control/ansible-host new file mode 100644 index 000000000..3d291ad41 --- /dev/null +++ b/ansible/inventory/group_vars/ansible-control/ansible-host @@ -0,0 +1,3 @@ +--- +# Host/IP with which to access the Ansible control host via SSH. +ansible_host: "{{ admin_oc_net_name | net_ip }}" diff --git a/ansible/inventory/group_vars/ansible-control/ansible-user b/ansible/inventory/group_vars/ansible-control/ansible-user new file mode 100644 index 000000000..d9a48787e --- /dev/null +++ b/ansible/inventory/group_vars/ansible-control/ansible-user @@ -0,0 +1,7 @@ +--- +# User with which to access the Ansible control host via SSH. +ansible_user: "{{ kayobe_ansible_user }}" + +# User with which to access the Ansible control host before the +# kayobe_ansible_user account has been created. +bootstrap_user: "{{ ansible_control_bootstrap_user }}" diff --git a/ansible/inventory/group_vars/ansible-control/container-engine b/ansible/inventory/group_vars/ansible-control/container-engine new file mode 100644 index 000000000..e92c6388d --- /dev/null +++ b/ansible/inventory/group_vars/ansible-control/container-engine @@ -0,0 +1,5 @@ +--- +############################################################################### +# Ansible control host container engine configuration. + +container_engine_enabled: "{{ ansible_control_container_engine_enabled }}" diff --git a/ansible/inventory/group_vars/ansible-control/firewall b/ansible/inventory/group_vars/ansible-control/firewall new file mode 100644 index 000000000..24bbf8ec6 --- /dev/null +++ b/ansible/inventory/group_vars/ansible-control/firewall @@ -0,0 +1,21 @@ +--- +############################################################################### +# Ansible control host firewalld configuration. + +# Whether to install and enable firewalld. +firewalld_enabled: "{{ ansible_control_firewalld_enabled }}" + +# A list of zones to create. Each item is a dict containing a 'zone' item. +firewalld_zones: "{{ ansible_control_firewalld_zones }}" + +# A firewalld zone to set as the default. Default is unset, in which case the +# default zone will not be changed. +firewalld_default_zone: "{{ ansible_control_firewalld_default_zone }}" + +# A list of firewall rules to apply. Each item is a dict containing arguments +# to pass to the firewalld module. Arguments are omitted if not provided, with +# the following exceptions: +# - offline: true +# - permanent: true +# - state: enabled +firewalld_rules: "{{ ansible_control_firewalld_rules }}" diff --git a/ansible/inventory/group_vars/ansible-control/luks b/ansible/inventory/group_vars/ansible-control/luks new file mode 100644 index 000000000..842e10c64 --- /dev/null +++ b/ansible/inventory/group_vars/ansible-control/luks @@ -0,0 +1,6 @@ +--- +############################################################################### +# Ansible control host encryption configuration. + +# List of block devices to encrypt. See stackhpc.luks role for format. +luks_devices: "{{ ansible_control_luks_devices }}" diff --git a/ansible/inventory/group_vars/ansible-control/lvm b/ansible/inventory/group_vars/ansible-control/lvm new file mode 100644 index 000000000..ad913dfde --- /dev/null +++ b/ansible/inventory/group_vars/ansible-control/lvm @@ -0,0 +1,6 @@ +--- +############################################################################### +# Ansible control host LVM configuration. + +# List of LVM volume groups. +lvm_groups: "{{ ansible_control_lvm_groups }}" diff --git a/ansible/inventory/group_vars/ansible-control/mdadm b/ansible/inventory/group_vars/ansible-control/mdadm new file mode 100644 index 000000000..d5a5cccea --- /dev/null +++ b/ansible/inventory/group_vars/ansible-control/mdadm @@ -0,0 +1,6 @@ +--- +############################################################################### +# Ansible control host software RAID configuration. + +# List of software RAID arrays. See mrlesmithjr.mdadm role for format. +mdadm_arrays: "{{ ansible_control_mdadm_arrays }}" diff --git a/ansible/inventory/group_vars/ansible-control/network b/ansible/inventory/group_vars/ansible-control/network new file mode 100644 index 000000000..a14971c67 --- /dev/null +++ b/ansible/inventory/group_vars/ansible-control/network @@ -0,0 +1,6 @@ +--- +############################################################################### +# Network interface attachments. + +# List of networks to which these nodes are attached. +network_interfaces: "{{ ansible_control_network_interfaces | unique | list }}" diff --git a/ansible/inventory/group_vars/ansible-control/swap b/ansible/inventory/group_vars/ansible-control/swap new file mode 100644 index 000000000..c2d990bd8 --- /dev/null +++ b/ansible/inventory/group_vars/ansible-control/swap @@ -0,0 +1,6 @@ +--- +############################################################################### +# Ansible control host swap configuration. + +# List of swap devices. Each item is a dict containing a 'device' item. +swap: "{{ ansible_control_swap }}" diff --git a/ansible/inventory/group_vars/ansible-control/sysctl b/ansible/inventory/group_vars/ansible-control/sysctl new file mode 100644 index 000000000..dba23c496 --- /dev/null +++ b/ansible/inventory/group_vars/ansible-control/sysctl @@ -0,0 +1,3 @@ +--- +# Dict of sysctl parameters to set. +sysctl_parameters: "{{ ansible_control_sysctl_parameters }}" diff --git a/ansible/inventory/group_vars/ansible-control/tuned b/ansible/inventory/group_vars/ansible-control/tuned new file mode 100644 index 000000000..a442126f4 --- /dev/null +++ b/ansible/inventory/group_vars/ansible-control/tuned @@ -0,0 +1,7 @@ +--- +############################################################################### +# Ansible control host tuned configuration. + +# Builtin tuned profile to use. Format is same as that used by giovtorres.tuned +# role. +tuned_active_builtin_profile: "{{ ansible_control_tuned_active_builtin_profile }}" diff --git a/ansible/inventory/group_vars/ansible-control/users b/ansible/inventory/group_vars/ansible-control/users new file mode 100644 index 000000000..5414b4cac --- /dev/null +++ b/ansible/inventory/group_vars/ansible-control/users @@ -0,0 +1,4 @@ +--- +# List of users to create. This should be in a format accepted by the +# singleplatform-eng.users role. +users: "{{ ansible_control_users }}" diff --git a/ansible/ip-allocation.yml b/ansible/ip-allocation.yml index b82d934a8..46c49b2a5 100644 --- a/ansible/ip-allocation.yml +++ b/ansible/ip-allocation.yml @@ -1,6 +1,6 @@ --- - name: Ensure IP addresses are allocated - hosts: seed-hypervisor:seed:overcloud:infra-vms + hosts: seed-hypervisor:seed:overcloud:infra-vms:ansible-control max_fail_percentage: >- {{ ip_allocation_max_fail_percentage | default(host_configure_max_fail_percentage) | diff --git a/ansible/kayobe-ansible-user.yml b/ansible/kayobe-ansible-user.yml index bcf170621..c0d826453 100644 --- a/ansible/kayobe-ansible-user.yml +++ b/ansible/kayobe-ansible-user.yml @@ -7,7 +7,7 @@ # bootstrap process if the account is inaccessible. - name: Determine whether user bootstrapping is required - hosts: seed-hypervisor:seed:overcloud:infra-vms + hosts: seed-hypervisor:seed:overcloud:infra-vms:ansible-control gather_facts: false max_fail_percentage: >- {{ kayobe_ansible_user_max_fail_percentage | @@ -37,7 +37,7 @@ when: ssh_result.unreachable | default(false) - name: Ensure Python is installed - hosts: seed-hypervisor:seed:overcloud:infra-vms + hosts: seed-hypervisor:seed:overcloud:infra-vms:ansible-control gather_facts: no max_fail_percentage: >- {{ kayobe_ansible_user_max_fail_percentage | @@ -103,7 +103,7 @@ become: True - name: Verify that the Kayobe Ansible user account is accessible - hosts: seed-hypervisor:seed:overcloud:infra-vms + hosts: seed-hypervisor:seed:overcloud:infra-vms:ansible-control gather_facts: false max_fail_percentage: >- {{ kayobe_ansible_user_max_fail_percentage | diff --git a/ansible/kayobe-target-venv.yml b/ansible/kayobe-target-venv.yml index 5074ccb47..53005c86e 100644 --- a/ansible/kayobe-target-venv.yml +++ b/ansible/kayobe-target-venv.yml @@ -3,7 +3,7 @@ # when running kayobe. - name: Ensure a virtualenv exists for kayobe - hosts: seed:seed-hypervisor:overcloud:infra-vms + hosts: seed:seed-hypervisor:overcloud:infra-vms:ansible-control gather_facts: False max_fail_percentage: >- {{ kayobe_target_venv_max_fail_percentage | diff --git a/ansible/logging.yml b/ansible/logging.yml index 801ee3a72..9008149f1 100644 --- a/ansible/logging.yml +++ b/ansible/logging.yml @@ -1,6 +1,6 @@ --- - name: Ensure Logging configuration is applied - hosts: seed-hypervisor:seed:overcloud:infra-vms + hosts: seed-hypervisor:seed:overcloud:infra-vms:ansible-control max_fail_percentage: >- {{ logging_max_fail_percentage | default(host_configure_max_fail_percentage) | diff --git a/ansible/luks.yml b/ansible/luks.yml index 57e4796f1..c47f19d70 100644 --- a/ansible/luks.yml +++ b/ansible/luks.yml @@ -1,6 +1,6 @@ --- - name: Ensure encryption configuration is applied - hosts: seed-hypervisor:seed:overcloud:infra-vms + hosts: seed-hypervisor:seed:overcloud:infra-vms:ansible-control max_fail_percentage: >- {{ luks_max_fail_percentage | default(host_configure_max_fail_percentage) | diff --git a/ansible/lvm.yml b/ansible/lvm.yml index 3d46edadd..39ce81f51 100644 --- a/ansible/lvm.yml +++ b/ansible/lvm.yml @@ -1,6 +1,6 @@ --- - name: Ensure LVM configuration is applied - hosts: seed-hypervisor:seed:overcloud:infra-vms + hosts: seed-hypervisor:seed:overcloud:infra-vms:ansible-control max_fail_percentage: >- {{ lvm_max_fail_percentage | default(host_configure_max_fail_percentage) | diff --git a/ansible/mdadm.yml b/ansible/mdadm.yml index 4d69b92ef..e78f56ac3 100644 --- a/ansible/mdadm.yml +++ b/ansible/mdadm.yml @@ -1,6 +1,6 @@ --- - name: Ensure software RAID configuration is applied - hosts: seed-hypervisor:seed:overcloud:infra-vms + hosts: seed-hypervisor:seed:overcloud:infra-vms:ansible-control max_fail_percentage: >- {{ mdadm_max_fail_percentage | default(host_configure_max_fail_percentage) | diff --git a/ansible/network-connectivity.yml b/ansible/network-connectivity.yml index 3e0238d8c..2b7bc2278 100644 --- a/ansible/network-connectivity.yml +++ b/ansible/network-connectivity.yml @@ -1,6 +1,6 @@ --- - name: Check network connectivity between hosts - hosts: seed:seed-hypervisor:overcloud:infra-vms + hosts: seed:seed-hypervisor:overcloud:infra-vms:ansible-control max_fail_percentage: >- {{ network_connectivity_max_fail_percentage | default(kayobe_max_fail_percentage) | diff --git a/ansible/network.yml b/ansible/network.yml index c5b99ad0c..e584b7fd8 100644 --- a/ansible/network.yml +++ b/ansible/network.yml @@ -1,6 +1,6 @@ --- - name: Ensure networking is configured - hosts: seed-hypervisor:seed:overcloud:infra-vms + hosts: seed-hypervisor:seed:overcloud:infra-vms:ansible-control max_fail_percentage: >- {{ network_max_fail_percentage | default(host_configure_max_fail_percentage) | diff --git a/ansible/pip.yml b/ansible/pip.yml index 3bea4a70d..98e0473fa 100644 --- a/ansible/pip.yml +++ b/ansible/pip.yml @@ -1,6 +1,6 @@ --- - name: Configure local PyPi mirror - hosts: seed-hypervisor:seed:overcloud:infra-vms + hosts: seed-hypervisor:seed:overcloud:infra-vms:ansible-control max_fail_percentage: >- {{ pip_max_fail_percentage | default(host_configure_max_fail_percentage) | diff --git a/ansible/proxy.yml b/ansible/proxy.yml index e96e5674b..ffde65f3e 100644 --- a/ansible/proxy.yml +++ b/ansible/proxy.yml @@ -1,6 +1,6 @@ --- - name: Configure HTTP(S) proxy settings - hosts: seed-hypervisor:seed:overcloud:infra-vms + hosts: seed-hypervisor:seed:overcloud:infra-vms:ansible-control max_fail_percentage: >- {{ proxy_max_fail_percentage | default(host_configure_max_fail_percentage) | diff --git a/ansible/selinux.yml b/ansible/selinux.yml index aa00d4ce4..489967c03 100644 --- a/ansible/selinux.yml +++ b/ansible/selinux.yml @@ -1,6 +1,6 @@ --- - name: Configure SELinux state and reboot if required - hosts: seed:seed-hypervisor:overcloud:infra-vms + hosts: seed:seed-hypervisor:overcloud:infra-vms:ansible-control max_fail_percentage: >- {{ selinux_max_fail_percentage | default(host_configure_max_fail_percentage) | diff --git a/ansible/swap.yml b/ansible/swap.yml index 82ccbba85..c3c9d3d96 100644 --- a/ansible/swap.yml +++ b/ansible/swap.yml @@ -1,6 +1,6 @@ --- - name: Configure swap - hosts: seed-hypervisor:seed:overcloud:infra-vms + hosts: seed-hypervisor:seed:overcloud:infra-vms:ansible-control become: true max_fail_percentage: >- {{ swap_max_fail_percentage | diff --git a/ansible/sysctl.yml b/ansible/sysctl.yml index cf2a2793e..7565014c7 100644 --- a/ansible/sysctl.yml +++ b/ansible/sysctl.yml @@ -1,6 +1,6 @@ --- - name: Ensure sysctl parameters are configured - hosts: seed:seed-hypervisor:overcloud:infra-vms + hosts: seed:seed-hypervisor:overcloud:infra-vms:ansible-control max_fail_percentage: >- {{ sysctl_max_fail_percentage | default(host_configure_max_fail_percentage) | diff --git a/ansible/time.yml b/ansible/time.yml index 2c02e5bbe..8a5d1ecf0 100644 --- a/ansible/time.yml +++ b/ansible/time.yml @@ -1,6 +1,6 @@ --- - name: Ensure timezone is configured - hosts: seed-hypervisor:seed:overcloud:infra-vms + hosts: seed-hypervisor:seed:overcloud:infra-vms:ansible-control max_fail_percentage: >- {{ time_max_fail_percentage | default(host_configure_max_fail_percentage) | diff --git a/ansible/tuned.yml b/ansible/tuned.yml index 2bf4b2f55..87d8268f6 100644 --- a/ansible/tuned.yml +++ b/ansible/tuned.yml @@ -1,6 +1,6 @@ --- - name: Configure tuned profile - hosts: seed:seed-hypervisor:overcloud:infra-vms + hosts: seed:seed-hypervisor:overcloud:infra-vms:ansible-control max_fail_percentage: >- {{ tuned_max_fail_percentage | default(host_configure_max_fail_percentage) | diff --git a/ansible/users.yml b/ansible/users.yml index 6afc1fd53..67260616c 100644 --- a/ansible/users.yml +++ b/ansible/users.yml @@ -1,6 +1,6 @@ --- - name: Ensure users exist - hosts: seed:seed-hypervisor:overcloud:infra-vms + hosts: seed:seed-hypervisor:overcloud:infra-vms:ansible-control max_fail_percentage: >- {{ users_max_fail_percentage | default(host_configure_max_fail_percentage) | diff --git a/ansible/wipe-disks.yml b/ansible/wipe-disks.yml index 79fe2edf1..37caeb641 100644 --- a/ansible/wipe-disks.yml +++ b/ansible/wipe-disks.yml @@ -8,7 +8,7 @@ # also closed and removed from crypttab. - name: Ensure that all unmounted block devices are wiped - hosts: seed-hypervisor:seed:overcloud:infra-vms + hosts: seed-hypervisor:seed:overcloud:infra-vms:ansible-control max_fail_percentage: >- {{ wipe_disks_max_fail_percentage | default(host_configure_max_fail_percentage) | diff --git a/dev/ansible-control-host-configure.sh b/dev/ansible-control-host-configure.sh new file mode 100755 index 000000000..af65250a4 --- /dev/null +++ b/dev/ansible-control-host-configure.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +set -eu +set -o pipefail + +# Simple script to configure a development environment as an Ansible control host. + +PARENT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + +source "${PARENT}/functions" + + +function main { + config_init + ansible_control_host_configure +} + +main diff --git a/dev/functions b/dev/functions index 20e571d26..64c335724 100644 --- a/dev/functions +++ b/dev/functions @@ -320,6 +320,16 @@ function control_host_upgrade { echo "Upgraded control host after $i attempts" } +function ansible_control_host_configure { + # Deploy an Ansible control host. + environment_setup + + control_host_bootstrap + + echo "Configuring the Ansible control host" + run_kayobe control host configure +} + function seed_hypervisor_deploy { # Deploy a seed hypervisor. environment_setup diff --git a/doc/source/administration/ansible-control.rst b/doc/source/administration/ansible-control.rst new file mode 100644 index 000000000..21c3f0dbc --- /dev/null +++ b/doc/source/administration/ansible-control.rst @@ -0,0 +1,59 @@ +=================================== +Ansible Control Host Administration +=================================== + +Updating Packages +================= + +It is possible to update packages on the Ansible control host. + +Package Repositories +-------------------- + +If using custom DNF package repositories on CentOS or Rocky, it may be +necessary to update these prior to running a package update. To do this, update +the configuration in ``${KAYOBE_CONFIG_PATH}/dnf.yml`` and run the following +command:: + + (kayobe) $ kayobe control host configure --tags dnf + +Package Update +-------------- + +To update one or more packages:: + + (kayobe) $ kayobe control host package update --packages , + +To update all eligible packages, use ``*``, escaping if necessary:: + + (kayobe) $ kayobe control host package update --packages "*" + +To only install updates that have been marked security related:: + + (kayobe) $ kayobe control host package update --packages "*" --security + +Note that these commands do not affect packages installed in containers, only +those installed on the host. + +Kernel Updates +-------------- + +If the kernel has been updated, you will probably want to reboot the host +to boot into the new kernel. This can be done using a command such as the +following:: + + (kayobe) $ kayobe control host command run --command "shutdown -r" --become + +Running Commands +================ + +It is possible to run a command on the host:: + + (kayobe) $ kayobe control host command run --command "" + +For example:: + + (kayobe) $ kayobe control host command run --command "service docker restart" + +To execute the command with root privileges, add the ``--become`` argument. +Adding the ``--verbose`` argument allows the output of the command to be seen. diff --git a/doc/source/administration/index.rst b/doc/source/administration/index.rst index 79cee41ce..dbdef7672 100644 --- a/doc/source/administration/index.rst +++ b/doc/source/administration/index.rst @@ -9,6 +9,7 @@ administrative tasks. :maxdepth: 2 general + ansible-control seed infra-vms overcloud diff --git a/doc/source/configuration/reference/hosts.rst b/doc/source/configuration/reference/hosts.rst index 694878339..b0ed019a3 100644 --- a/doc/source/configuration/reference/hosts.rst +++ b/doc/source/configuration/reference/hosts.rst @@ -7,6 +7,7 @@ Host Configuration This section covers configuration of hosts. It does not cover configuration or deployment of containers. Hosts that are configured by Kayobe include: +* Ansible control host (``kayobe control host configure``) * Seed hypervisor (``kayobe seed hypervisor host configure``) * Seed (``kayobe seed host configure``) * Infra VMs (``kayobe infra vm host configure``) @@ -26,6 +27,7 @@ Some host configuration options are set via global variables, and others have a variable for each type of host. The latter variables are included in the following files under ``${KAYOBE_CONFIG_PATH}``: +* ``ansible-control.yml`` * ``seed-hypervisor.yml`` * ``seed.yml`` * ``compute.yml`` @@ -83,6 +85,7 @@ user. In cloud images, there is often a user named after the OS distro, e.g. variable, except for CentOS which uses ``cloud-user``, but may be set via the following variables: +* ``ansible_control_bootstrap_user`` * ``seed_hypervisor_bootstrap_user`` * ``seed_bootstrap_user`` * ``infra_vm_bootstrap_user`` @@ -181,6 +184,7 @@ that used by the ``users`` variable of the `singleplatform-eng.users `__ role. The following variables can be used to set the users for specific types of hosts: +* ``ansible_control_users`` * ``seed_hypervisor_users`` * ``seed_users`` * ``infra_vm_users`` @@ -585,6 +589,7 @@ Ubuntu systems. The following variables can be used to set whether to enable firewalld: +* ``ansible_control_firewalld_enabled`` * ``seed_hypervisor_firewalld_enabled`` * ``seed_firewalld_enabled`` * ``infra_vm_firewalld_enabled`` @@ -596,6 +601,7 @@ The following variables can be used to set whether to enable firewalld: When firewalld is enabled, the following variables can be used to configure a list of zones to create. Each item is a dict containing a ``zone`` item: +* ``ansible_control_firewalld_zones`` * ``seed_hypervisor_firewalld_zones`` * ``seed_firewalld_zones`` * ``infra_vm_firewalld_zones`` @@ -607,6 +613,7 @@ list of zones to create. Each item is a dict containing a ``zone`` item: The following variables can be used to set a default zone. The default is unset, in which case the default zone will not be changed: +* ``ansible_control_firewalld_default_zone`` * ``seed_hypervisor_firewalld_default_zone`` * ``seed_firewalld_default_zone`` * ``infra_vm_firewalld_default_zone`` @@ -621,6 +628,7 @@ are omitted if not provided, with the following exceptions: ``offline`` (default ``true``), ``permanent`` (default ``true``), ``state`` (default ``enabled``): +* ``ansible_control_firewalld_rules`` * ``seed_hypervisor_firewalld_rules`` * ``seed_firewalld_rules`` * ``infra_vm_firewalld_rules`` @@ -693,6 +701,7 @@ Tuned Built-in ``tuned`` profiles can be applied to hosts. The following variables can be used to set a ``tuned`` profile to specific types of hosts: +* ``ansible_control_tuned_active_builtin_profile`` * ``seed_hypervisor_tuned_active_builtin_profile`` * ``seed_tuned_active_builtin_profile`` * ``compute_tuned_active_builtin_profile`` @@ -704,6 +713,7 @@ can be used to set a ``tuned`` profile to specific types of hosts: By default, Kayobe applies a ``tuned`` profile matching the role of each host in the system: +* Ansible control host: ``throughput-performance`` * seed hypervisor: ``virtual-host`` * seed: ``virtual-guest`` * infrastructure VM: ``virtual-guest`` @@ -729,6 +739,7 @@ Arbitrary ``sysctl`` configuration can be applied to hosts. The variable format is a dict/map, mapping parameter names to their required values. The following variables can be used to set ``sysctl`` configuration specific types of hosts: +* ``ansible_control_sysctl_parameters`` * ``seed_hypervisor_sysctl_parameters`` * ``seed_sysctl_parameters`` * ``infra_vm_sysctl_parameters`` @@ -828,6 +839,8 @@ Kayobe will configure `Chrony `__ on all hosts in seed seed-hypervisor overcloud + infra-vms + ansible-control This provides a flexible way to opt in or out of having kayobe manage the NTP service. @@ -870,6 +883,7 @@ arrays they want to manage with Kayobe. Software RAID arrays may be configured via the ``mdadm_arrays`` variable. For convenience, this is mapped to the following variables: +* ``ansible_control_mdadm_arrays`` * ``seed_hypervisor_mdadm_arrays`` * ``seed_mdadm_arrays`` * ``infra_vm_mdadm_arrays`` @@ -906,6 +920,7 @@ Encryption Encrypted block devices may be configured via the ``luks_devices`` variable. For convenience, this is mapped to the following variables: +* ``ansible_control_luks_devices`` * ``seed_hypervisor_luks_devices`` * ``seed_luks_devices`` * ``infra_vm_luks_devices`` @@ -943,6 +958,7 @@ Logical Volume Manager (LVM) physical volumes, volume groups, and logical volumes may be configured via the ``lvm_groups`` variable. For convenience, this is mapped to the following variables: +* ``ansible_control_lvm_groups`` * ``seed_hypervisor_lvm_groups`` * ``seed_lvm_groups`` * ``infra_vm_lvm_groups`` @@ -980,6 +996,7 @@ can optionally be created. The logical volume is created in volume group called This configuration is enabled by the following variables, which default to ``false``: +* ``ansible_control_lvm_group_data_enabled`` * ``compute_lvm_group_data_enabled`` * ``controller_lvm_group_data_enabled`` * ``seed_lvm_group_data_enabled`` @@ -989,6 +1006,7 @@ This configuration is enabled by the following variables, which default to To use this configuration, a list of disks must be configured via the following variables: +* ``ansible_control_lvm_group_data_disks`` * ``seed_lvm_group_data_disks`` * ``infra_vm_lvm_group_data_disks`` * ``compute_lvm_group_data_disks`` @@ -1008,6 +1026,7 @@ For example, to configure two of the seed's disks for use by LVM: The Docker volumes LVM volume is assigned a size given by the following variables, with a default value of 75% (of the volume group's capacity): +* ``ansible_control_lvm_group_data_lv_docker_volumes_size`` * ``seed_lvm_group_data_lv_docker_volumes_size`` * ``infra_vm_lvm_group_data_lv_docker_volumes_size`` * ``compute_lvm_group_data_lv_docker_volumes_size`` @@ -1038,6 +1057,7 @@ Custom LVM To define additional logical logical volumes in the default ``data`` volume group, modify one of the following variables: +* ``ansible_control_lvm_group_data_lvs`` * ``seed_lvm_group_data_lvs`` * ``infra_vm_lvm_group_data_lvs`` * ``compute_lvm_group_data_lvs`` @@ -1063,6 +1083,7 @@ include the LVM volume for Docker volume data: It is possible to define additional LVM volume groups via the following variables: +* ``ansible_control_lvm_groups_extra`` * ``seed_lvm_groups_extra`` * ``infra_vm_lvm_groups_extra`` * ``compute_lvm_groups_extra`` @@ -1134,6 +1155,25 @@ example, to use podman: container_engine: podman +The container engine is deployed on hosts in the ``container-engine`` group. By +default this includes the following groups: + +.. code-block:: ini + + [container-engine:children] + # Hosts in this group will have Docker/Podman installed. + seed + controllers + network + monitoring + storage + compute + ansible-control + +Note that deployment of a container engine is disabled by default on the +Ansible control host. This can be changed by setting +``ansible_control_container_engine_enabled`` to ``true``. + Podman ------ @@ -1360,6 +1400,7 @@ Swap Swap files and devices may be configured via the ``swap`` variable. For convenience, this is mapped to the following variables: +* ``ansible_control_swap`` * ``seed_swap`` * ``seed_hypervisor_swap`` * ``infra_vm_swap`` diff --git a/doc/source/configuration/reference/network.rst b/doc/source/configuration/reference/network.rst index d104f9897..9e6789006 100644 --- a/doc/source/configuration/reference/network.rst +++ b/doc/source/configuration/reference/network.rst @@ -880,6 +880,19 @@ Kayobe's playbook group variables define some sensible defaults for this variable for hosts in the top level standard groups. These defaults are set using the network roles typically required by the group. +Ansible Control Host +-------------------- + +By default, the Ansible control host is attached to the following network: + +* overcloud admin network + +This list may be extended by setting +``ansible_control_extra_network_interfaces`` to a list of names of additional +networks to attach. Alternatively, the list may be completely overridden by +setting ``ansible_control_network_interfaces``. These variables are found in +``${KAYOBE_CONFIG_PATH}/ansible-control.yml``. + Seed ---- diff --git a/doc/source/deployment.rst b/doc/source/deployment.rst index 5f653d5af..c39d0fe3c 100644 --- a/doc/source/deployment.rst +++ b/doc/source/deployment.rst @@ -29,6 +29,35 @@ To bootstrap the Ansible control host:: (kayobe) $ kayobe control host bootstrap +Since the Gazpacho 20.0.0 release it is possible to manage the Ansible control +host's configuration in the same way as other hosts. If using this feature, the +Ansible control host should be added to the Kayobe inventory in the +``ansible-control`` group. Typically this host will be ``localhost``, although +it is also possible to manage an Ansible control host remotely. For example: + +.. code-block:: ini + :caption: ``${KAYOBE_CONFIG_PATH}/inventory/groups`` + + [ansible-control] + localhost + +To configure the Ansible control host OS:: + + (kayobe) $ kayobe control host configure + +.. note:: + + If the Ansible control host uses disks that have been in use in a previous + installation, it may be necessary to wipe partition and LVM data from those + disks. To wipe all disks that are not mounted during host configuration:: + + (kayobe) $ kayobe control host configure --wipe-disks + +.. seealso:: + + Information on configuration of hosts is available :ref:`here + `. + .. _physical-network: Physical Network diff --git a/etc/kayobe/ansible-control.yml b/etc/kayobe/ansible-control.yml new file mode 100644 index 000000000..76889eb23 --- /dev/null +++ b/etc/kayobe/ansible-control.yml @@ -0,0 +1,124 @@ +--- +############################################################################### +# Ansible control host configuration. + +# User with which to access the Ansible control host via SSH during bootstrap, +# in order to setup the Kayobe user account. Default is {{ os_distribution }}. +#ansible_control_bootstrap_user: + +############################################################################### +# Ansible control host network interface configuration. + +# List of networks to which Ansible control host are attached. +#ansible_control_network_interfaces: + +# List of default networks to which Ansible control host are attached. +#ansible_control_default_network_interfaces: + +# List of extra networks to which Ansible control host are attached. +#ansible_control_extra_network_interfaces: + +############################################################################### +# Ansible control host software RAID configuration. + +# List of software RAID arrays. See mrlesmithjr.mdadm role for format. +#ansible_control_mdadm_arrays: + +############################################################################### +# Ansible control host encryption configuration. + +# List of block devices to encrypt. See stackhpc.luks role for format. +#ansible_control_luks_devices: + +############################################################################### +# Ansible control host LVM configuration. + +# List of Ansible control host volume groups. See mrlesmithjr.manage_lvm role +# for format. +#ansible_control_lvm_groups: + +# Default list of Ansible control host volume groups. See +# mrlesmithjr.manage_lvm role for format. +#ansible_control_lvm_groups_default: + +# Additional list of Ansible control host volume groups. See +# mrlesmithjr.manage_lvm role for format. +#ansible_control_lvm_groups_extra: + +# Whether a 'data' LVM volume group should exist on the Ansible control host. +# By default this contains a 'docker-volumes' logical volume for Docker volume +# storage. Default is false. +#ansible_control_lvm_group_data_enabled: + +# Ansible control host LVM volume group for data. See mrlesmithjr.manage_lvm +# role for format. +#ansible_control_lvm_group_data: + +# List of disks for use by Ansible control host LVM data volume group. Default +# to an invalid value to require configuration. +#ansible_control_lvm_group_data_disks: + +# List of LVM logical volumes for the data volume group. +#ansible_control_lvm_group_data_lvs: + +# Docker volumes LVM backing volume. +#ansible_control_lvm_group_data_lv_docker_volumes: + +# Size of docker volumes LVM backing volume. +#ansible_control_lvm_group_data_lv_docker_volumes_size: + +# Filesystem for docker volumes LVM backing volume. ext4 allows for shrinking. +#ansible_control_lvm_group_data_lv_docker_volumes_fs: + +############################################################################### +# Ansible control host sysctl configuration. + +# Dict of sysctl parameters to set. +#ansible_control_sysctl_parameters: + +############################################################################### +# Ansible control host tuned configuration. + +# Builtin tuned profile to use. Format is same as that used by giovtorres.tuned +# role. Default is throughput-performance. +#ansible_control_tuned_active_builtin_profile: + +############################################################################### +# Ansible control host user configuration. + +# List of users to create. This should be in a format accepted by the +# singleplatform-eng.users role. +#ansible_control_users: + +############################################################################### +# Ansible control host firewalld configuration. + +# Whether to install and enable firewalld. +#ansible_control_firewalld_enabled: + +# A list of zones to create. Each item is a dict containing a 'zone' item. +#ansible_control_firewalld_zones: + +# A firewalld zone to set as the default. Default is unset, in which case the +# default zone will not be changed. +#ansible_control_firewalld_default_zone: + +# A list of firewall rules to apply. Each item is a dict containing arguments +# to pass to the firewalld module. Arguments are omitted if not provided, with +# the following exceptions: +# - offline: true +# - permanent: true +# - state: enabled +#ansible_control_firewalld_rules: + +############################################################################### +# Ansible control host swap configuration. + +# List of swap devices. Each item is a dict containing a 'device' item. +#ansible_control_swap: + +############################################################################### +# Ansible control host container engine configuration. + +# Whether a container engine should be configured. Default is false. +#ansible_control_container_engine_enabled: diff --git a/etc/kayobe/inventory/group_vars/ansible-control/ansible-python-interpreter b/etc/kayobe/inventory/group_vars/ansible-control/ansible-python-interpreter new file mode 100644 index 000000000..54abbf23c --- /dev/null +++ b/etc/kayobe/inventory/group_vars/ansible-control/ansible-python-interpreter @@ -0,0 +1,3 @@ +--- +# Use a virtual environment for remote operations. +ansible_python_interpreter: "{{ virtualenv_path }}/kayobe/bin/python" diff --git a/etc/kayobe/inventory/group_vars/ansible-control/network-interfaces b/etc/kayobe/inventory/group_vars/ansible-control/network-interfaces new file mode 100644 index 000000000..6880128da --- /dev/null +++ b/etc/kayobe/inventory/group_vars/ansible-control/network-interfaces @@ -0,0 +1,20 @@ +--- +############################################################################### +# Network interface definitions for the ansible-control group. + +# NOTE: The content of this section is very deployment-specific, since it +# depends on the names and types of networks in the deployment. It should +# define the group-specific attributes of networks. The following example shows +# a basic configuration for a network called "example": +# +# example_interface: eth0 +# +# Global network attributes such as subnet CIDRs are typically configured in +# etc/kayobe/networks.yml. +# +# Further information on the available network attributes is provided in the +# network configuration reference in the Kayobe documentation. + +############################################################################### +# Dummy variable to allow Ansible to accept this file. +workaround_ansible_issue_8743: yes diff --git a/etc/kayobe/inventory/groups b/etc/kayobe/inventory/groups index 0f57def4a..fee8c48e7 100644 --- a/etc/kayobe/inventory/groups +++ b/etc/kayobe/inventory/groups @@ -1,6 +1,12 @@ # Kayobe groups inventory file. This file should generally not be modified. # If declares the top-level groups and sub-groups. +############################################################################### +# Ansible control host groups. + +[ansible-control] +# Empty group to provide declaration of ansible-control group. + ############################################################################### # Seed groups. @@ -73,6 +79,7 @@ network monitoring storage compute +ansible-control [docker-registry:children] # Hosts in this group will have a Docker Registry deployed. This group should @@ -86,6 +93,7 @@ seed seed-hypervisor overcloud infra-vms +ansible-control ############################################################################### # Baremetal compute node groups. diff --git a/kayobe/cli/commands.py b/kayobe/cli/commands.py index 2c9cb97a0..4dbcb4cdc 100644 --- a/kayobe/cli/commands.py +++ b/kayobe/cli/commands.py @@ -310,6 +310,106 @@ def take_action(self, parsed_args): self.run_kayobe_playbooks(parsed_args, playbooks) +class ControlHostConfigure(KayobeAnsibleMixin, VaultMixin, Command): + """Configure the Ansible control host OS and services. + + * Allocate IP addresses for all configured networks. + * Add the host to SSH known hosts. + * Configure a user account for use by kayobe for SSH access. + * Configure proxy settings. + * Configure package repos. + * Configure a PyPI mirror. + * Optionally, create a virtualenv for remote target hosts. + * Optionally, wipe unmounted disk partitions (--wipe-disks). + * Configure user accounts, group associations, and authorised SSH keys. + * Configure SELinux. + * Configure the host's network interfaces. + * Configure a firewall. + * Configure tuned profile. + * Set sysctl parameters. + * Configure timezone and ntp. + * Optionally, configure software RAID arrays. + * Optionally, configure encryption. + * Configure LVM volumes. + * Configure swap. + * Optionally, configure a container engine. + """ + + def get_parser(self, prog_name): + parser = super(ControlHostConfigure, self).get_parser(prog_name) + group = parser.add_argument_group("Host Configuration") + group.add_argument("--wipe-disks", action='store_true', + help="wipe partition and LVM data from all disks " + "that are not mounted. Warning: this can " + "result in the loss of data") + return parser + + def take_action(self, parsed_args): + self.app.LOG.debug("Configuring Ansible control host OS") + + # Allocate IP addresses. + playbooks = _build_playbook_list("ip-allocation") + self.run_kayobe_playbooks(parsed_args, playbooks, + limit="ansible-control") + + # Kayobe playbooks. + kwargs = {} + if parsed_args.wipe_disks: + kwargs["extra_vars"] = {"wipe_disks": True} + playbooks = _build_playbook_list("control-host-configure") + self.run_kayobe_playbooks(parsed_args, playbooks, + limit="ansible-control", **kwargs) + + +class ControlHostCommandRun(KayobeAnsibleMixin, VaultMixin, Command): + """Run command on the Ansible control host.""" + + def get_parser(self, prog_name): + parser = super(ControlHostCommandRun, self).get_parser(prog_name) + group = parser.add_argument_group("Host Command Run") + group.add_argument("--command", required=True, + help="Command to run (required).") + group.add_argument("--show-output", action='store_true', + help="Show command output") + return parser + + def take_action(self, parsed_args): + self.app.LOG.debug("Run command on Ansible control host") + extra_vars = { + "host_command_to_run": utils.escape_jinja(parsed_args.command), + "show_output": parsed_args.show_output} + playbooks = _build_playbook_list("host-command-run") + self.run_kayobe_playbooks(parsed_args, playbooks, + limit="ansible-control", + extra_vars=extra_vars) + + +class ControlHostPackageUpdate(KayobeAnsibleMixin, VaultMixin, Command): + """Update packages on the Ansible control host.""" + + def get_parser(self, prog_name): + parser = super(ControlHostPackageUpdate, self).get_parser(prog_name) + group = parser.add_argument_group("Host Package Updates") + group.add_argument("--packages", required=True, + help="List of packages to update. Use '*' to " + "update all packages.") + group.add_argument("--security", action='store_true', + help="Only install updates that have been marked " + "security related.") + return parser + + def take_action(self, parsed_args): + self.app.LOG.debug("Updating Ansible control host packages") + extra_vars = { + "host_package_update_packages": parsed_args.packages, + "host_package_update_security": parsed_args.security, + } + playbooks = _build_playbook_list("host-package-update") + self.run_kayobe_playbooks(parsed_args, playbooks, + limit="ansible-control", + extra_vars=extra_vars) + + class ControlHostUpgrade(KayobeAnsibleMixin, VaultMixin, Command): """Upgrade the Kayobe control environment. diff --git a/kayobe/tests/unit/cli/test_commands.py b/kayobe/tests/unit/cli/test_commands.py index f50a6e1e7..a72d76ecd 100644 --- a/kayobe/tests/unit/cli/test_commands.py +++ b/kayobe/tests/unit/cli/test_commands.py @@ -117,6 +117,113 @@ def test_control_host_bootstrap_with_passwords( ] self.assertListEqual(expected_calls, mock_kolla_run.call_args_list) + @mock.patch.object(commands.KayobeAnsibleMixin, + "run_kayobe_playbooks") + def test_control_host_configure(self, mock_run): + command = commands.ControlHostConfigure(TestApp(), []) + parser = command.get_parser("test") + parsed_args = parser.parse_args([]) + + result = command.run(parsed_args) + self.assertEqual(0, result) + + expected_calls = [ + mock.call( + mock.ANY, + [utils.get_data_files_path("ansible", "ip-allocation.yml")], + limit="ansible-control", + ), + mock.call( + mock.ANY, + [ + utils.get_data_files_path( + "ansible", "control-host-configure.yml"), + ], + limit="ansible-control", + ), + ] + self.assertListEqual(expected_calls, mock_run.call_args_list) + + @mock.patch.object(commands.KayobeAnsibleMixin, + "run_kayobe_playbooks") + def test_control_host_configure_wipe_disks(self, mock_run): + command = commands.ControlHostConfigure(TestApp(), []) + parser = command.get_parser("test") + parsed_args = parser.parse_args(["--wipe-disks"]) + + result = command.run(parsed_args) + self.assertEqual(0, result) + + expected_calls = [ + mock.call( + mock.ANY, + [utils.get_data_files_path("ansible", "ip-allocation.yml")], + limit="ansible-control", + ), + mock.call( + mock.ANY, + [ + utils.get_data_files_path( + "ansible", "control-host-configure.yml"), + ], + limit="ansible-control", + extra_vars={"wipe_disks": True}, + ), + ] + self.assertListEqual(expected_calls, mock_run.call_args_list) + + @mock.patch.object(commands.KayobeAnsibleMixin, + "run_kayobe_playbooks") + def test_control_host_command_run(self, mock_run): + command = commands.ControlHostCommandRun(TestApp(), []) + parser = command.get_parser("test") + parsed_args = parser.parse_args(["--command", "ls -a", + "--show-output"]) + + result = command.run(parsed_args) + self.assertEqual(0, result) + + expected_calls = [ + mock.call( + mock.ANY, + [ + utils.get_data_files_path("ansible", + "host-command-run.yml"), + ], + limit="ansible-control", + extra_vars={ + "host_command_to_run": utils.escape_jinja("ls -a"), + "show_output": True} + ), + ] + self.assertListEqual(expected_calls, mock_run.call_args_list) + + @mock.patch.object(commands.KayobeAnsibleMixin, + "run_kayobe_playbooks") + def test_control_host_package_update_all(self, mock_run): + command = commands.ControlHostPackageUpdate(TestApp(), []) + parser = command.get_parser("test") + parsed_args = parser.parse_args(["--packages", "*"]) + + result = command.run(parsed_args) + self.assertEqual(0, result) + + expected_calls = [ + mock.call( + mock.ANY, + [ + utils.get_data_files_path( + "ansible", "host-package-update.yml"), + ], + limit="ansible-control", + extra_vars={ + "host_package_update_packages": "*", + "host_package_update_security": False, + }, + ), + ] + self.assertListEqual(expected_calls, mock_run.call_args_list) + @mock.patch.object(ansible, "install_galaxy_roles", autospec=True) @mock.patch.object(ansible, "install_galaxy_collections", autospec=True) @mock.patch.object(ansible, "prune_galaxy_roles", autospec=True) diff --git a/releasenotes/notes/control-host-configure-ca4bb8c4de59c370.yaml b/releasenotes/notes/control-host-configure-ca4bb8c4de59c370.yaml new file mode 100644 index 000000000..681a4ae08 --- /dev/null +++ b/releasenotes/notes/control-host-configure-ca4bb8c4de59c370.yaml @@ -0,0 +1,10 @@ +--- +features: + - | + Adds support for managing the Ansible control host configuration. This is + provided by the new ``kayobe control host configure`` command, and uses the + existing host configuration features in Kayobe. + + Also provided is a ``kayobe control host command run`` command for running + commands on the Ansible control host, and a ``kayobe control host package + update`` command for updating its OS packages. diff --git a/setup.cfg b/setup.cfg index 7e493174f..81bc91a1d 100644 --- a/setup.cfg +++ b/setup.cfg @@ -47,6 +47,9 @@ kayobe.cli= baremetal_compute_serial_console_enable = kayobe.cli.commands:BaremetalComputeSerialConsoleEnable baremetal_compute_serial_console_disable = kayobe.cli.commands:BaremetalComputeSerialConsoleDisable control_host_bootstrap = kayobe.cli.commands:ControlHostBootstrap + control_host_command_run = kayobe.cli.commands:ControlHostCommandRun + control_host_configure = kayobe.cli.commands:ControlHostConfigure + control_host_package_update = kayobe.cli.commands:ControlHostPackageUpdate control_host_upgrade = kayobe.cli.commands:ControlHostUpgrade configuration_dump = kayobe.cli.commands:ConfigurationDump environment_create = kayobe.cli.commands:EnvironmentCreate @@ -127,6 +130,12 @@ kayobe.cli.baremetal_compute_serial_console_disable = hooks = kayobe.cli.commands:HookDispatcher kayobe.cli.control_host_bootstrap = hooks = kayobe.cli.commands:HookDispatcher +kayobe.cli.control_host_command_run = + hooks = kayobe.cli.commands:HookDispatcher +kayobe.cli.control_host_configure = + hooks = kayobe.cli.commands:HookDispatcher +kayobe.cli.control_host_package_update = + hooks = kayobe.cli.commands:HookDispatcher kayobe.cli.control_host_upgrade = hooks = kayobe.cli.commands:HookDispatcher kayobe.cli.configuration_dump = From cfe58bff0060a68b5ed1e8c5d0a335a43e8866c2 Mon Sep 17 00:00:00 2001 From: Jack Hodgkiss Date: Fri, 20 Feb 2026 09:48:10 +0000 Subject: [PATCH 174/187] fix (docs): correct passwords view command When originally introduced the `kayobe overcloud service passwords view` command included usage documentation that showed the wrong command this has been corrected. Change-Id: I806c9ea8a8175a564e6deb131f715bb0abea158f Signed-off-by: Jack Hodgkiss --- doc/source/usage.rst | 2 +- .../notes/add-passwords-view-command-2f55d83dca037e3d.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/source/usage.rst b/doc/source/usage.rst index 70581eb9e..499a1b5ee 100644 --- a/doc/source/usage.rst +++ b/doc/source/usage.rst @@ -54,7 +54,7 @@ password for a given service. This can be done with ``ansible-vault view`` however if an absolute path is not provided it will cause the command to fail. Therefore, to make reading the contents of this file easier for administrators -it is possible to use ``kayobe overcloud passwords view`` which will +it is possible to use ``kayobe overcloud service passwords view`` which will temporarily decrypt and display the contents of ``kolla/passwords.yml`` for the active kayobe environment. diff --git a/releasenotes/notes/add-passwords-view-command-2f55d83dca037e3d.yaml b/releasenotes/notes/add-passwords-view-command-2f55d83dca037e3d.yaml index b908fb105..2739d0ba8 100644 --- a/releasenotes/notes/add-passwords-view-command-2f55d83dca037e3d.yaml +++ b/releasenotes/notes/add-passwords-view-command-2f55d83dca037e3d.yaml @@ -2,4 +2,4 @@ features: - | Add support for easily viewing the content of ``kolla/passwords.yml`` with - the new command ``kayobe overcloud passwords view``. + the new command ``kayobe overcloud service passwords view``. From 1b6ace4798ab1a223c6b755be6cdd011081cf2f8 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 20 Feb 2026 14:17:40 +0100 Subject: [PATCH 175/187] Add dummy variable to fix Ansible parsing Change-Id: I34081d7d2e46cf8229609f366998c6d798eb0caf Signed-off-by: Pierre Riteau --- etc/kayobe/ansible-control.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/etc/kayobe/ansible-control.yml b/etc/kayobe/ansible-control.yml index 76889eb23..cd6b563d5 100644 --- a/etc/kayobe/ansible-control.yml +++ b/etc/kayobe/ansible-control.yml @@ -122,3 +122,7 @@ # Whether a container engine should be configured. Default is false. #ansible_control_container_engine_enabled: + +############################################################################### +# Dummy variable to allow Ansible to accept this file. +workaround_ansible_issue_8743: yes From aa230f9d05eea695f2aaa09a348f56a2079e6eda Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 25 Feb 2026 09:30:59 +0100 Subject: [PATCH 176/187] CI: Disable seed jobs Bifrost is currently broken by passlib issues. Change-Id: Ib5b031b27195a2b39daf2d05a43af4d8c8f9882c Signed-off-by: Pierre Riteau --- zuul.d/project.yaml | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 37fe7338e..c040a3d15 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -28,14 +28,14 @@ - kayobe-overcloud-upgrade-slurp-rocky10 - kayobe-overcloud-upgrade-slurp-ubuntu-noble - kayobe-overcloud-upgrade-ubuntu-noble - - kayobe-seed-rocky10 - - kayobe-seed-rocky10-podman - - kayobe-seed-ubuntu-noble - - kayobe-seed-ubuntu-noble-podman - - kayobe-seed-upgrade-rocky10 - - kayobe-seed-upgrade-slurp-rocky10 - - kayobe-seed-upgrade-slurp-ubuntu-noble - - kayobe-seed-upgrade-ubuntu-noble + #- kayobe-seed-rocky10 + #- kayobe-seed-rocky10-podman + #- kayobe-seed-ubuntu-noble + #- kayobe-seed-ubuntu-noble-podman + #- kayobe-seed-upgrade-rocky10 + #- kayobe-seed-upgrade-slurp-rocky10 + #- kayobe-seed-upgrade-slurp-ubuntu-noble + #- kayobe-seed-upgrade-ubuntu-noble - kayobe-seed-vm-rocky10 - kayobe-seed-vm-ubuntu-noble gate: @@ -59,14 +59,14 @@ - kayobe-overcloud-upgrade-slurp-rocky10 - kayobe-overcloud-upgrade-slurp-ubuntu-noble - kayobe-overcloud-upgrade-ubuntu-noble - - kayobe-seed-rocky10 - - kayobe-seed-rocky10-podman - - kayobe-seed-ubuntu-noble - - kayobe-seed-ubuntu-noble-podman - - kayobe-seed-upgrade-rocky10 - - kayobe-seed-upgrade-slurp-rocky10 - - kayobe-seed-upgrade-slurp-ubuntu-noble - - kayobe-seed-upgrade-ubuntu-noble + #- kayobe-seed-rocky10 + #- kayobe-seed-rocky10-podman + #- kayobe-seed-ubuntu-noble + #- kayobe-seed-ubuntu-noble-podman + #- kayobe-seed-upgrade-rocky10 + #- kayobe-seed-upgrade-slurp-rocky10 + #- kayobe-seed-upgrade-slurp-ubuntu-noble + #- kayobe-seed-upgrade-ubuntu-noble - kayobe-seed-vm-rocky10 - kayobe-seed-vm-ubuntu-noble From bf3b3356228aa48ff58cc49f5fe7504fda04bc88 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Mon, 2 Mar 2026 14:29:08 +0100 Subject: [PATCH 177/187] Fix compatibility with python-ironicclient 6.0.0 Release 6.0.0 of python-ironicclient changed the way node attributes are named in JSON output [1]. We now need to access attributes using lower case. [1] https://review.opendev.org/c/openstack/python-ironicclient/+/973948 Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/901100 Change-Id: Iccb99cfd1a723b3680b64781488d15e417642522 Signed-off-by: Pierre Riteau --- ansible/baremetal-compute-rename.yml | 6 ++--- ansible/baremetal-compute-serial-console.yml | 24 +++++++++---------- .../ipa-images/tasks/set-driver-info.yml | 14 +++++------ 3 files changed, 22 insertions(+), 22 deletions(-) diff --git a/ansible/baremetal-compute-rename.yml b/ansible/baremetal-compute-rename.yml index b2dd3330c..7a4ef1cdc 100644 --- a/ansible/baremetal-compute-rename.yml +++ b/ansible/baremetal-compute-rename.yml @@ -54,7 +54,7 @@ - name: Rename baremetal compute nodes command: > - {{ venv }}/bin/openstack baremetal node set --name "{{ inventory_hostname }}" "{{ node['UUID'] }}" + {{ venv }}/bin/openstack baremetal node set --name "{{ inventory_hostname }}" "{{ node['uuid'] }}" delegate_to: "{{ controller_host }}" environment: "{{ openstack_auth_env }}" vars: @@ -62,8 +62,8 @@ # be respected when using delegate_to. ansible_host: "{{ hostvars[controller_host].ansible_host | default(controller_host) }}" ipmi_address: "{{ hostvars[inventory_hostname].ipmi_address }}" - matching_nodes: "{{ (nodes.stdout | from_json) | selectattr('Driver Info.ipmi_address', 'defined') | selectattr('Driver Info.ipmi_address', 'equalto', ipmi_address) | list }}" + matching_nodes: "{{ (nodes.stdout | from_json) | selectattr('driver_info.ipmi_address', 'defined') | selectattr('driver_info.ipmi_address', 'equalto', ipmi_address) | list }}" node: "{{ matching_nodes | first }}" when: - matching_nodes | length > 0 - - node['Name'] != inventory_hostname + - node['name'] != inventory_hostname diff --git a/ansible/baremetal-compute-serial-console.yml b/ansible/baremetal-compute-serial-console.yml index 9de0ae976..cd987a485 100644 --- a/ansible/baremetal-compute-serial-console.yml +++ b/ansible/baremetal-compute-serial-console.yml @@ -79,11 +79,11 @@ fail: msg: >- In order to use the serial console you must set the console_interface to ipmitool-socat. - when: node["Console Interface"] != "ipmitool-socat" + when: node["console_interface"] != "ipmitool-socat" - name: Set IPMI serial console terminal port vars: - name: "{{ node['Name'] }}" + name: "{{ node['name'] }}" port: "{{ hostvars[controller_host].console_allocation_result.ports[name] }}" # NOTE: Without this, the controller's ansible_host variable will not # be respected when using delegate_to. @@ -93,8 +93,8 @@ delegate_to: "{{ controller_host }}" environment: "{{ openstack_auth_env }}" when: >- - node['Driver Info'].ipmi_terminal_port is not defined or - node['Driver Info'].ipmi_terminal_port | int != port | int + node['driver_info'].ipmi_terminal_port is not defined or + node['driver_info'].ipmi_terminal_port | int != port | int - name: Enable the IPMI socat serial console vars: @@ -102,14 +102,14 @@ # be respected when using delegate_to. ansible_host: "{{ hostvars[controller_host].ansible_host | default(controller_host) }}" command: > - {{ venv }}/bin/openstack baremetal node console enable {{ node['Name'] }} + {{ venv }}/bin/openstack baremetal node console enable {{ node['name'] }} delegate_to: "{{ controller_host }}" environment: "{{ openstack_auth_env }}" - when: not node['Console Enabled'] + when: not node['console_enabled'] vars: matching_nodes: >- - {{ (nodes.stdout | from_json) | selectattr('Name', 'defined') | - selectattr('Name', 'equalto', inventory_hostname) | list }} + {{ (nodes.stdout | from_json) | selectattr('name', 'defined') | + selectattr('name', 'equalto', inventory_hostname) | list }} node: "{{ matching_nodes | first }}" when: - cmd == "enable" @@ -122,14 +122,14 @@ # be respected when using delegate_to. ansible_host: "{{ hostvars[controller_host].ansible_host | default(controller_host) }}" command: > - {{ venv }}/bin/openstack baremetal node console disable {{ node['Name'] }} + {{ venv }}/bin/openstack baremetal node console disable {{ node['name'] }} delegate_to: "{{ controller_host }}" environment: "{{ openstack_auth_env }}" - when: node['Console Enabled'] + when: node['console_enabled'] vars: matching_nodes: >- - {{ (nodes.stdout | from_json) | selectattr('Name', 'defined') | - selectattr('Name', 'equalto', inventory_hostname) | list }} + {{ (nodes.stdout | from_json) | selectattr('name', 'defined') | + selectattr('name', 'equalto', inventory_hostname) | list }} node: "{{ matching_nodes | first }}" when: - cmd == "disable" diff --git a/ansible/roles/ipa-images/tasks/set-driver-info.yml b/ansible/roles/ipa-images/tasks/set-driver-info.yml index c2c11fcc9..6ddcbc89e 100644 --- a/ansible/roles/ipa-images/tasks/set-driver-info.yml +++ b/ansible/roles/ipa-images/tasks/set-driver-info.yml @@ -36,11 +36,11 @@ - name: Make sure openstack nodes are in baremetal-compute group add_host: - name: "{{ item.Name }}" + name: "{{ item.name }}" groups: baremetal-compute when: - - item.Name is not none - - item.Name not in groups["baremetal-compute"] + - item.name is not none + - item.name not in groups["baremetal-compute"] with_items: "{{ ipa_images_ironic_node_list.stdout | from_json }}" - name: Set fact containing filtered list of nodes @@ -55,15 +55,15 @@ set_fact: ipa_images_ironic_nodes: "{{ ipa_images_ironic_nodes + [item] }}" with_items: "{{ ipa_images_ironic_node_list.stdout | from_json }}" - when: item['Name'] in ipa_images_compute_node_whitelist + when: item['name'] in ipa_images_compute_node_whitelist - name: Ensure ironic nodes use the new Ironic Python Agent (IPA) images command: > - {{ ipa_images_venv }}/bin/openstack baremetal node set {{ item.UUID }} + {{ ipa_images_venv }}/bin/openstack baremetal node set {{ item.uuid }} --driver-info deploy_kernel={{ ipa_images_kernel_uuid }} --driver-info deploy_ramdisk={{ ipa_images_ramdisk_uuid }} with_items: "{{ ipa_images_ironic_nodes }}" when: - item["Driver Info"].deploy_kernel != ipa_images_kernel_uuid or - item["Driver Info"].deploy_ramdisk != ipa_images_ramdisk_uuid + item["driver_info"].deploy_kernel != ipa_images_kernel_uuid or + item["driver_info"].deploy_ramdisk != ipa_images_ramdisk_uuid environment: "{{ ipa_images_ironic_openstack_auth_env }}" From 4ddee654e56a05bccd2f0105dc1fd1d3b6f1fd4c Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 4 Mar 2026 08:33:34 +0100 Subject: [PATCH 178/187] Revert "CI: Disable seed jobs" This reverts commit aa230f9d05eea695f2aaa09a348f56a2079e6eda. Reason for revert: Bifrost passlib fix is merged. Change-Id: I5b179291a335cb32c782cf351554fdd6bd3e144f Signed-off-by: Pierre Riteau --- zuul.d/project.yaml | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index c040a3d15..37fe7338e 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -28,14 +28,14 @@ - kayobe-overcloud-upgrade-slurp-rocky10 - kayobe-overcloud-upgrade-slurp-ubuntu-noble - kayobe-overcloud-upgrade-ubuntu-noble - #- kayobe-seed-rocky10 - #- kayobe-seed-rocky10-podman - #- kayobe-seed-ubuntu-noble - #- kayobe-seed-ubuntu-noble-podman - #- kayobe-seed-upgrade-rocky10 - #- kayobe-seed-upgrade-slurp-rocky10 - #- kayobe-seed-upgrade-slurp-ubuntu-noble - #- kayobe-seed-upgrade-ubuntu-noble + - kayobe-seed-rocky10 + - kayobe-seed-rocky10-podman + - kayobe-seed-ubuntu-noble + - kayobe-seed-ubuntu-noble-podman + - kayobe-seed-upgrade-rocky10 + - kayobe-seed-upgrade-slurp-rocky10 + - kayobe-seed-upgrade-slurp-ubuntu-noble + - kayobe-seed-upgrade-ubuntu-noble - kayobe-seed-vm-rocky10 - kayobe-seed-vm-ubuntu-noble gate: @@ -59,14 +59,14 @@ - kayobe-overcloud-upgrade-slurp-rocky10 - kayobe-overcloud-upgrade-slurp-ubuntu-noble - kayobe-overcloud-upgrade-ubuntu-noble - #- kayobe-seed-rocky10 - #- kayobe-seed-rocky10-podman - #- kayobe-seed-ubuntu-noble - #- kayobe-seed-ubuntu-noble-podman - #- kayobe-seed-upgrade-rocky10 - #- kayobe-seed-upgrade-slurp-rocky10 - #- kayobe-seed-upgrade-slurp-ubuntu-noble - #- kayobe-seed-upgrade-ubuntu-noble + - kayobe-seed-rocky10 + - kayobe-seed-rocky10-podman + - kayobe-seed-ubuntu-noble + - kayobe-seed-ubuntu-noble-podman + - kayobe-seed-upgrade-rocky10 + - kayobe-seed-upgrade-slurp-rocky10 + - kayobe-seed-upgrade-slurp-ubuntu-noble + - kayobe-seed-upgrade-ubuntu-noble - kayobe-seed-vm-rocky10 - kayobe-seed-vm-ubuntu-noble From 75844f65d5ffde7164c725250d86307ab53fad3b Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Mon, 16 Feb 2026 15:04:46 +0000 Subject: [PATCH 179/187] Bump stackhpc.openstack to 0.10.1 This prevents us needing the CRB and EPEL repositories to be enabled on Rocky hosts when building DIB images. Closes-Bug: #2141684 Closes-Bug: #2142501 Change-Id: Id3e610ad466212d3b8dde7a429ea66cc1562b047 Signed-off-by: Will Szumski --- .../notes/fixes-dib-image-build-18f29d072b913669.yaml | 10 ++++++++++ requirements.yml | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/fixes-dib-image-build-18f29d072b913669.yaml diff --git a/releasenotes/notes/fixes-dib-image-build-18f29d072b913669.yaml b/releasenotes/notes/fixes-dib-image-build-18f29d072b913669.yaml new file mode 100644 index 000000000..4639a4add --- /dev/null +++ b/releasenotes/notes/fixes-dib-image-build-18f29d072b913669.yaml @@ -0,0 +1,10 @@ +--- +fixes: + - | + Fixes an issue building diskimage-builder images when EPEL is disabled. + See `LP#2141684 `_ for more + details. + - | + Fixes an issue building diskimage-builder images when using the podman + container engine, See `LP#2142501 + `_ for more details. diff --git a/requirements.yml b/requirements.yml index e0aa67977..aad1416ee 100644 --- a/requirements.yml +++ b/requirements.yml @@ -22,7 +22,7 @@ collections: - name: stackhpc.network version: 1.0.0 - name: stackhpc.openstack - version: 0.9.0 + version: 0.10.1 roles: - src: ahuffman.resolv From 89646f9be661f7958b9d3befddd31f33ae67fe45 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Thu, 29 Jan 2026 16:00:32 +0000 Subject: [PATCH 180/187] [networkd] Fix broken conditional [DEPRECATION WARNING]: Conditional result (False) was derived from value of type 'int' at '/home/ubuntu/kayobe/ansible/roles/network-debian/tasks/main.yml:51:9'. Conditionals must have a boolean result. This feature will be removed from ansible-core version 2.23. Origin: /home/ubuntu/kayobe/ansible/roles/network-debian/tasks/main.yml:51:9 49 command: "udevadm trigger --verbose --subsystem-match=net --action=add" 50 changed_when: false 51 when: network_interfaces | networkd_links | length ^ column 9 Broken conditionals are currently allowed because the `ALLOW_BROKEN_CONDITIONALS` configuration option is enabled. TrivialFix Change-Id: I3e04902ac1cf129d325d291cafb719fd15a84368 Signed-off-by: Will Szumski --- ansible/roles/network-debian/tasks/main.yml | 2 +- requirements.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/roles/network-debian/tasks/main.yml b/ansible/roles/network-debian/tasks/main.yml index 27091a841..c1c75ea53 100644 --- a/ansible/roles/network-debian/tasks/main.yml +++ b/ansible/roles/network-debian/tasks/main.yml @@ -48,4 +48,4 @@ become: true command: "udevadm trigger --verbose --subsystem-match=net --action=add" changed_when: false - when: network_interfaces | networkd_links | length + when: network_interfaces | networkd_links | length > 0 diff --git a/requirements.yml b/requirements.yml index aad1416ee..47422251c 100644 --- a/requirements.yml +++ b/requirements.yml @@ -18,7 +18,7 @@ collections: - name: openstack.cloud version: '<3' - name: stackhpc.linux - version: 1.5.1 + version: 1.5.2 - name: stackhpc.network version: 1.0.0 - name: stackhpc.openstack From 6d8f40cf724625700a1c5e905a8c13b42f442255 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Thu, 29 Jan 2026 17:36:21 +0000 Subject: [PATCH 181/187] [firewalld] Fix broken conditional Broken conditionals are currently allowed because the `ALLOW_BROKEN_CONDITIONALS` configuration option is enabled. [DEPRECATION WARNING]: Conditional result (True) was derived from value of type 'str' at '/home/zuul/src/opendev.org/openstack/kayobe-config-dev/etc/kayobe/zz-30-overrides.yml:47:25'. Conditionals must have a boolean result. This feature will be removed from ansible-core version 2.23. Origin: /home/zuul/kayobe-venv/share/kayobe/ansible/roles/firewalld/tasks/enabled.yml:50:9 48 become: true 49 loop: "{{ network_interfaces }}" 50 when: item | net_zone ^ column 9 TrivialFix Change-Id: I88e0f12e838070196d8f3ffa4ec95464ab323632 Signed-off-by: Will Szumski --- ansible/roles/firewalld/tasks/enabled.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/firewalld/tasks/enabled.yml b/ansible/roles/firewalld/tasks/enabled.yml index 048645169..1ab86bcd6 100644 --- a/ansible/roles/firewalld/tasks/enabled.yml +++ b/ansible/roles/firewalld/tasks/enabled.yml @@ -47,7 +47,7 @@ zone: "{{ item | net_zone }}" become: true loop: "{{ network_interfaces }}" - when: item | net_zone + when: item | net_zone is truthy notify: Restart firewalld - name: Ensure firewalld rules are applied From fd57c5ed80211a46d9d3c2cd2efcc60c0b32b693 Mon Sep 17 00:00:00 2001 From: Hollie Hutchinson Date: Fri, 28 Nov 2025 11:36:11 +0000 Subject: [PATCH 182/187] Skip external connectivity check when behind a proxy Network connectivity check fails for hosts that have no external network, so this check is now skipped if ``http_proxy`` is defined. Change-Id: Ib6f815c319a7e92e675382cfe9d4011598e72aba Signed-off-by: Hollie Hutchinson --- ansible/network-connectivity.yml | 40 ++++++++++--------- etc/kayobe/networks.yml | 3 ++ ...l-connectivity-check-43d232b52f43ed93.yaml | 4 ++ 3 files changed, 29 insertions(+), 18 deletions(-) create mode 100644 releasenotes/notes/fix-external-connectivity-check-43d232b52f43ed93.yaml diff --git a/ansible/network-connectivity.yml b/ansible/network-connectivity.yml index 2b7bc2278..8259f898a 100644 --- a/ansible/network-connectivity.yml +++ b/ansible/network-connectivity.yml @@ -6,6 +6,8 @@ default(kayobe_max_fail_percentage) | default(100) }} vars: + # Skip external connectivity check when behind a proxy. + nc_skip_external_net: "{{ http_proxy | truthy }}" # Set this to an external IP address to check. nc_external_ip: 8.8.8.8 # Set this to an external hostname to check. @@ -14,27 +16,29 @@ # (20 bytes) headers. icmp_overhead_bytes: 28 tasks: - - name: "Display next action: external IP address check" - debug: - msg: > - Checking whether hosts have access to an external IP address, - {{ nc_external_ip }}. - run_once: True + - block: + - name: "Display next action: external IP address check" + debug: + msg: > + Checking whether hosts have access to an external IP address, + {{ nc_external_ip }}. + run_once: True - - name: Ensure an external IP is reachable - command: ping -c1 {{ nc_external_ip }} - changed_when: False + - name: Ensure an external IP is reachable + command: ping -c1 {{ nc_external_ip }} + changed_when: False - - name: "Display next action: external hostname check" - debug: - msg: > - Checking whether hosts have access to an external hostname, - {{ nc_external_hostname }}. - run_once: True + - name: "Display next action: external hostname check" + debug: + msg: > + Checking whether hosts have access to an external hostname, + {{ nc_external_hostname }}. + run_once: True - - name: Ensure an external host is reachable - command: ping -c1 {{ nc_external_hostname }} - changed_when: False + - name: Ensure an external host is reachable + command: ping -c1 {{ nc_external_hostname }} + changed_when: False + when: not nc_skip_external_net - name: "Display next action: gateway check" debug: diff --git a/etc/kayobe/networks.yml b/etc/kayobe/networks.yml index 17c9028c4..2132fd179 100644 --- a/etc/kayobe/networks.yml +++ b/etc/kayobe/networks.yml @@ -106,6 +106,9 @@ ############################################################################### # Network connectivity check configuration. +# Whether to skip the external network connectivity check. Default is false. +#nc_skip_external_net: + # External IP address to check. Default is 8.8.8.8. #nc_external_ip: diff --git a/releasenotes/notes/fix-external-connectivity-check-43d232b52f43ed93.yaml b/releasenotes/notes/fix-external-connectivity-check-43d232b52f43ed93.yaml new file mode 100644 index 000000000..3ee7d838f --- /dev/null +++ b/releasenotes/notes/fix-external-connectivity-check-43d232b52f43ed93.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + Skip external connectivity check behind a proxy. From d679f16694a17e987d95e3459757ba60d54a3ea1 Mon Sep 17 00:00:00 2001 From: Leonie Chamberlin-Medd Date: Mon, 12 Jan 2026 13:03:24 +0000 Subject: [PATCH 183/187] Add support for fail2ban in Kayobe Adds support for installing and configuring fail2ban in Kayobe using the robertdebock.fail2ban Ansible role https://galaxy.ansible.com/ui/standalone/roles/robertdebock/fail2ban/ Change-Id: Ic484b2c4f6e261a5173ba8f5378258068f468fa2 Signed-off-by: Leonie Chamberlin-Medd --- ansible/control-host-configure.yml | 1 + ansible/fail2ban.yml | 17 ++++++++ ansible/infra-vm-host-configure.yml | 1 + .../inventory/group_vars/all/ansible-control | 20 ++++++++++ ansible/inventory/group_vars/all/compute | 20 ++++++++++ ansible/inventory/group_vars/all/controllers | 20 ++++++++++ ansible/inventory/group_vars/all/infra-vms | 20 ++++++++++ ansible/inventory/group_vars/all/monitoring | 20 ++++++++++ ansible/inventory/group_vars/all/seed | 20 ++++++++++ .../inventory/group_vars/all/seed-hypervisor | 20 ++++++++++ ansible/inventory/group_vars/all/storage | 20 ++++++++++ .../group_vars/ansible-control/fail2ban | 6 +++ ansible/inventory/group_vars/compute/fail2ban | 6 +++ .../inventory/group_vars/controllers/fail2ban | 6 +++ .../inventory/group_vars/infra-vms/fail2ban | 6 +++ .../inventory/group_vars/monitoring/fail2ban | 6 +++ .../group_vars/seed-hypervisor/fail2ban | 6 +++ ansible/inventory/group_vars/seed/fail2ban | 6 +++ ansible/inventory/group_vars/storage/fail2ban | 6 +++ ansible/overcloud-host-configure.yml | 1 + ansible/seed-host-configure.yml | 1 + ansible/seed-hypervisor-host-configure.yml | 1 + doc/source/configuration/reference/hosts.rst | 39 +++++++++++++++++++ etc/kayobe/ansible-control.yml | 15 +++++++ etc/kayobe/compute.yml | 15 +++++++ etc/kayobe/controllers.yml | 15 +++++++ etc/kayobe/infra-vms.yml | 15 +++++++ etc/kayobe/monitoring.yml | 15 +++++++ etc/kayobe/seed-hypervisor.yml | 15 +++++++ etc/kayobe/seed.yml | 15 +++++++ etc/kayobe/storage.yml | 15 +++++++ .../overrides.yml.j2 | 6 +++ .../tests/test_overcloud_host_configure.py | 10 +++++ .../support-fail2ban-b25a26d66cfbcaaf.yaml | 6 +++ requirements.yml | 2 + zuul.d/jobs.yaml | 4 ++ 36 files changed, 417 insertions(+) create mode 100644 ansible/fail2ban.yml create mode 100644 ansible/inventory/group_vars/ansible-control/fail2ban create mode 100644 ansible/inventory/group_vars/compute/fail2ban create mode 100644 ansible/inventory/group_vars/controllers/fail2ban create mode 100644 ansible/inventory/group_vars/infra-vms/fail2ban create mode 100644 ansible/inventory/group_vars/monitoring/fail2ban create mode 100644 ansible/inventory/group_vars/seed-hypervisor/fail2ban create mode 100644 ansible/inventory/group_vars/seed/fail2ban create mode 100644 ansible/inventory/group_vars/storage/fail2ban create mode 100644 releasenotes/notes/support-fail2ban-b25a26d66cfbcaaf.yaml diff --git a/ansible/control-host-configure.yml b/ansible/control-host-configure.yml index 996da2c68..fb58add50 100644 --- a/ansible/control-host-configure.yml +++ b/ansible/control-host-configure.yml @@ -13,6 +13,7 @@ - import_playbook: "selinux.yml" - import_playbook: "network.yml" - import_playbook: "firewall.yml" +- import_playbook: "fail2ban.yml" - import_playbook: "tuned.yml" - import_playbook: "sysctl.yml" - import_playbook: "time.yml" diff --git a/ansible/fail2ban.yml b/ansible/fail2ban.yml new file mode 100644 index 000000000..5f85f0a0e --- /dev/null +++ b/ansible/fail2ban.yml @@ -0,0 +1,17 @@ +--- +- name: Configure fail2ban + hosts: seed:seed-hypervisor:overcloud:infra-vms:ansible-control + max_fail_percentage: >- + {{ fail2ban_max_fail_percentage | + default(host_configure_max_fail_percentage) | + default(kayobe_max_fail_percentage) | + default(100) }} + tags: + - fail2ban + roles: + - role: robertdebock.fail2ban + become: true + when: fail2ban_enabled | bool + vars: + # TODO (L-Chams): Remove fail2ban_sender override when PR https://github.com/robertdebock/ansible-role-fail2ban/pull/18 is merged. + fail2ban_sender: root@{{ ansible_facts.fqdn }} diff --git a/ansible/infra-vm-host-configure.yml b/ansible/infra-vm-host-configure.yml index 644c7f03a..2d1595074 100644 --- a/ansible/infra-vm-host-configure.yml +++ b/ansible/infra-vm-host-configure.yml @@ -13,6 +13,7 @@ - import_playbook: "selinux.yml" - import_playbook: "network.yml" - import_playbook: "firewall.yml" +- import_playbook: "fail2ban.yml" - import_playbook: "tuned.yml" - import_playbook: "sysctl.yml" - import_playbook: "disable-glean.yml" diff --git a/ansible/inventory/group_vars/all/ansible-control b/ansible/inventory/group_vars/all/ansible-control index 0f9f555c0..635024df0 100644 --- a/ansible/inventory/group_vars/all/ansible-control +++ b/ansible/inventory/group_vars/all/ansible-control @@ -126,6 +126,26 @@ ansible_control_firewalld_default_zone: # - state: enabled ansible_control_firewalld_rules: [] +############################################################################### +# Ansible control host fail2ban configuration. + +# Whether to install and enable fail2ban. Default is false. +ansible_control_fail2ban_enabled: false + +# List of fail2ban jails for the Ansible control host. +ansible_control_fail2ban_jail_configuration: >- + {{ ansible_control_fail2ban_jail_configuration_default + + ansible_control_fail2ban_jail_configuration_extra }} + +# List of default fail2ban jails for the Ansible control host. +ansible_control_fail2ban_jail_configuration_default: + - option: enabled + value: "true" + section: sshd + +# List of extra fail2ban jails for the Ansible control host. +ansible_control_fail2ban_jail_configuration_extra: [] + ############################################################################### # Ansible control host swap configuration. diff --git a/ansible/inventory/group_vars/all/compute b/ansible/inventory/group_vars/all/compute index 1803098cc..99fb9dc3c 100644 --- a/ansible/inventory/group_vars/all/compute +++ b/ansible/inventory/group_vars/all/compute @@ -185,6 +185,26 @@ compute_firewalld_default_zone: # - state: enabled compute_firewalld_rules: [] +############################################################################### +# Compute node fail2ban configuration. + +# Whether to install and enable fail2ban. +compute_fail2ban_enabled: false + +# List of fail2ban jails for the compute node. +compute_fail2ban_jail_configuration: >- + {{ compute_fail2ban_jail_configuration_default + + compute_fail2ban_jail_configuration_extra }} + +# List of default fail2ban jails for the compute node. +compute_fail2ban_jail_configuration_default: + - option: enabled + value: "true" + section: sshd + +# List of extra fail2ban jails for the compute node. +compute_fail2ban_jail_configuration_extra: [] + ############################################################################### # Compute node host libvirt configuration. diff --git a/ansible/inventory/group_vars/all/controllers b/ansible/inventory/group_vars/all/controllers index a7b2097bd..f8be1616a 100644 --- a/ansible/inventory/group_vars/all/controllers +++ b/ansible/inventory/group_vars/all/controllers @@ -224,6 +224,26 @@ controller_firewalld_default_zone: # - state: enabled controller_firewalld_rules: [] +############################################################################### +# Controller node fail2ban configuration. + +# Whether to install and enable fail2ban. +controller_fail2ban_enabled: false + +# List of fail2ban jails for the controller node. +controller_fail2ban_jail_configuration: >- + {{ controller_fail2ban_jail_configuration_default + + controller_fail2ban_jail_configuration_extra }} + +# List of default fail2ban jails for the controller node. +controller_fail2ban_jail_configuration_default: + - option: enabled + value: "true" + section: sshd + +# List of extra fail2ban jails for the controller node. +controller_fail2ban_jail_configuration_extra: [] + ############################################################################### # Controller node swap configuration. diff --git a/ansible/inventory/group_vars/all/infra-vms b/ansible/inventory/group_vars/all/infra-vms index 58b91b97a..df0b8bcaa 100644 --- a/ansible/inventory/group_vars/all/infra-vms +++ b/ansible/inventory/group_vars/all/infra-vms @@ -230,6 +230,26 @@ infra_vm_firewalld_default_zone: # - state: enabled infra_vm_firewalld_rules: [] +############################################################################### +# Infrastructure VM node fail2ban configuration. + +# Whether to install and enable fail2ban. +infra_vm_fail2ban_enabled: false + +# List of fail2ban jails for the infrastructure VM node. +infra_vm_fail2ban_jail_configuration: >- + {{ infra_vm_fail2ban_jail_configuration_default + + infra_vm_fail2ban_jail_configuration_extra }} + +# List of default fail2ban jails for the infrastructure VM node. +infra_vm_fail2ban_jail_configuration_default: + - option: enabled + value: "true" + section: sshd + +# List of extra fail2ban jails for the infrastructure VM node. +infra_vm_fail2ban_jail_configuration_extra: [] + ############################################################################### # Infrastructure VM node swap configuration. diff --git a/ansible/inventory/group_vars/all/monitoring b/ansible/inventory/group_vars/all/monitoring index ee1fa4ebc..61492f2b2 100644 --- a/ansible/inventory/group_vars/all/monitoring +++ b/ansible/inventory/group_vars/all/monitoring @@ -124,6 +124,26 @@ monitoring_firewalld_default_zone: "{{ controller_firewalld_default_zone }}" # - state: enabled monitoring_firewalld_rules: "{{ controller_firewalld_rules }}" +############################################################################### +# Monitoring node fail2ban configuration. + +# Whether to install and enable fail2ban. +monitoring_fail2ban_enabled: false + +# List of fail2ban jails for the monitoring node. +monitoring_fail2ban_jail_configuration: >- + {{ monitoring_fail2ban_jail_configuration_default + + monitoring_fail2ban_jail_configuration_extra }} + +# List of default fail2ban jails for the monitoring node. +monitoring_fail2ban_jail_configuration_default: + - option: enabled + value: "true" + section: sshd + +# List of extra fail2ban jails for the monitoring node. +monitoring_fail2ban_jail_configuration_extra: [] + ############################################################################### # Monitoring node swap configuration. diff --git a/ansible/inventory/group_vars/all/seed b/ansible/inventory/group_vars/all/seed index 37d4497d9..22c0bc6d4 100644 --- a/ansible/inventory/group_vars/all/seed +++ b/ansible/inventory/group_vars/all/seed @@ -169,6 +169,26 @@ seed_firewalld_default_zone: # - state: enabled seed_firewalld_rules: [] +############################################################################### +# Seed node fail2ban configuration. + +# Whether to install and enable fail2ban. +seed_fail2ban_enabled: false + +# List of fail2ban jails for the seed node. +seed_fail2ban_jail_configuration: >- + {{ seed_fail2ban_jail_configuration_default + + seed_fail2ban_jail_configuration_extra }} + +# List of default fail2ban jails for the seed node. +seed_fail2ban_jail_configuration_default: + - option: enabled + value: "true" + section: sshd + +# List of extra fail2ban jails for the seed node. +seed_fail2ban_jail_configuration_extra: [] + ############################################################################### # Seed node swap configuration. diff --git a/ansible/inventory/group_vars/all/seed-hypervisor b/ansible/inventory/group_vars/all/seed-hypervisor index 80fe27851..47c64b3f7 100644 --- a/ansible/inventory/group_vars/all/seed-hypervisor +++ b/ansible/inventory/group_vars/all/seed-hypervisor @@ -162,6 +162,26 @@ seed_hypervisor_firewalld_default_zone: # - state: enabled seed_hypervisor_firewalld_rules: [] +############################################################################### +# Seed hypervisor node fail2ban configuration. + +# Whether to install and enable fail2ban. +seed_hypervisor_fail2ban_enabled: false + +# List of fail2ban jails for the seed hypervisor node. +seed_hypervisor_fail2ban_jail_configuration: >- + {{ seed_hypervisor_fail2ban_jail_configuration_default + + seed_hypervisor_fail2ban_jail_configuration_extra }} + +# List of default fail2ban jails for the seed hypervisor node. +seed_hypervisor_fail2ban_jail_configuration_default: + - option: enabled + value: "true" + section: sshd + +# List of extra fail2ban jails for the seed hypervisor node. +seed_hypervisor_fail2ban_jail_configuration_extra: [] + ############################################################################### # Seed hypervisor node swap configuration. diff --git a/ansible/inventory/group_vars/all/storage b/ansible/inventory/group_vars/all/storage index 429c0e816..46ea4bc79 100644 --- a/ansible/inventory/group_vars/all/storage +++ b/ansible/inventory/group_vars/all/storage @@ -173,6 +173,26 @@ storage_firewalld_default_zone: # - state: enabled storage_firewalld_rules: [] +############################################################################### +# Storage node fail2ban configuration. + +# Whether to install and enable fail2ban. +storage_fail2ban_enabled: false + +# List of fail2ban jails for the storage node. +storage_fail2ban_jail_configuration: >- + {{ storage_fail2ban_jail_configuration_default + + storage_fail2ban_jail_configuration_extra }} + +# List of default fail2ban jails for the storage node. +storage_fail2ban_jail_configuration_default: + - option: enabled + value: "true" + section: sshd + +# List of extra fail2ban jails for the storage node. +storage_fail2ban_jail_configuration_extra: [] + ############################################################################### # Storage node swap configuration. diff --git a/ansible/inventory/group_vars/ansible-control/fail2ban b/ansible/inventory/group_vars/ansible-control/fail2ban new file mode 100644 index 000000000..d3b3e149b --- /dev/null +++ b/ansible/inventory/group_vars/ansible-control/fail2ban @@ -0,0 +1,6 @@ +--- +# Whether to install and enable fail2ban +fail2ban_enabled: "{{ ansible_control_fail2ban_enabled }}" + +# List of fail2ban jails for the Ansible control host. +fail2ban_jail_configuration: "{{ ansible_control_fail2ban_jail_configuration }}" diff --git a/ansible/inventory/group_vars/compute/fail2ban b/ansible/inventory/group_vars/compute/fail2ban new file mode 100644 index 000000000..bef1836ec --- /dev/null +++ b/ansible/inventory/group_vars/compute/fail2ban @@ -0,0 +1,6 @@ +--- +# Whether to install and enable fail2ban +fail2ban_enabled: "{{ compute_fail2ban_enabled }}" + +# List of fail2ban jails for the compute node. +fail2ban_jail_configuration: "{{ compute_fail2ban_jail_configuration }}" diff --git a/ansible/inventory/group_vars/controllers/fail2ban b/ansible/inventory/group_vars/controllers/fail2ban new file mode 100644 index 000000000..72693b64a --- /dev/null +++ b/ansible/inventory/group_vars/controllers/fail2ban @@ -0,0 +1,6 @@ +--- +# Whether to install and enable fail2ban +fail2ban_enabled: "{{ controller_fail2ban_enabled }}" + +# List of fail2ban jails for the controller node. +fail2ban_jail_configuration: "{{ controller_fail2ban_jail_configuration }}" diff --git a/ansible/inventory/group_vars/infra-vms/fail2ban b/ansible/inventory/group_vars/infra-vms/fail2ban new file mode 100644 index 000000000..f1e6f2a4a --- /dev/null +++ b/ansible/inventory/group_vars/infra-vms/fail2ban @@ -0,0 +1,6 @@ +--- +# Whether to install and enable fail2ban +fail2ban_enabled: "{{ infra_vm_fail2ban_enabled }}" + +# List of fail2ban jails for the infrastructure VM node. +fail2ban_jail_configuration: "{{ infra_vm_fail2ban_jail_configuration }}" diff --git a/ansible/inventory/group_vars/monitoring/fail2ban b/ansible/inventory/group_vars/monitoring/fail2ban new file mode 100644 index 000000000..9160d962f --- /dev/null +++ b/ansible/inventory/group_vars/monitoring/fail2ban @@ -0,0 +1,6 @@ +--- +# Whether to install and enable fail2ban +fail2ban_enabled: "{{ monitoring_fail2ban_enabled }}" + +# List of fail2ban jails for the monitoring node. +fail2ban_jail_configuration: "{{ monitoring_fail2ban_jail_configuration }}" diff --git a/ansible/inventory/group_vars/seed-hypervisor/fail2ban b/ansible/inventory/group_vars/seed-hypervisor/fail2ban new file mode 100644 index 000000000..f1106c883 --- /dev/null +++ b/ansible/inventory/group_vars/seed-hypervisor/fail2ban @@ -0,0 +1,6 @@ +--- +# Whether to install and enable fail2ban +fail2ban_enabled: "{{ seed_hypervisor_fail2ban_enabled }}" + +# List of fail2ban jails for the seed hypervisor node. +fail2ban_jail_configuration: "{{ seed_hypervisor_fail2ban_jail_configuration }}" diff --git a/ansible/inventory/group_vars/seed/fail2ban b/ansible/inventory/group_vars/seed/fail2ban new file mode 100644 index 000000000..dcdf156f9 --- /dev/null +++ b/ansible/inventory/group_vars/seed/fail2ban @@ -0,0 +1,6 @@ +--- +# Whether to install and enable fail2ban +fail2ban_enabled: "{{ seed_fail2ban_enabled }}" + +# List of fail2ban jails for the seed node. +fail2ban_jail_configuration: "{{ seed_fail2ban_jail_configuration }}" diff --git a/ansible/inventory/group_vars/storage/fail2ban b/ansible/inventory/group_vars/storage/fail2ban new file mode 100644 index 000000000..024920388 --- /dev/null +++ b/ansible/inventory/group_vars/storage/fail2ban @@ -0,0 +1,6 @@ +--- +# Whether to install and enable fail2ban +fail2ban_enabled: "{{ storage_fail2ban_enabled }}" + +# List of fail2ban jails for the storage node. +fail2ban_jail_configuration: "{{ storage_fail2ban_jail_configuration }}" diff --git a/ansible/overcloud-host-configure.yml b/ansible/overcloud-host-configure.yml index fff5bc398..a6cdf4d8b 100644 --- a/ansible/overcloud-host-configure.yml +++ b/ansible/overcloud-host-configure.yml @@ -13,6 +13,7 @@ - import_playbook: "selinux.yml" - import_playbook: "network.yml" - import_playbook: "firewall.yml" +- import_playbook: "fail2ban.yml" - import_playbook: "etc-hosts.yml" - import_playbook: "tuned.yml" - import_playbook: "sysctl.yml" diff --git a/ansible/seed-host-configure.yml b/ansible/seed-host-configure.yml index 00c7eed6c..25b0dcc16 100644 --- a/ansible/seed-host-configure.yml +++ b/ansible/seed-host-configure.yml @@ -13,6 +13,7 @@ - import_playbook: "selinux.yml" - import_playbook: "network.yml" - import_playbook: "firewall.yml" +- import_playbook: "fail2ban.yml" - import_playbook: "tuned.yml" - import_playbook: "sysctl.yml" - import_playbook: "ip-routing.yml" diff --git a/ansible/seed-hypervisor-host-configure.yml b/ansible/seed-hypervisor-host-configure.yml index a91f5781a..56f240848 100644 --- a/ansible/seed-hypervisor-host-configure.yml +++ b/ansible/seed-hypervisor-host-configure.yml @@ -13,6 +13,7 @@ - import_playbook: "selinux.yml" - import_playbook: "network.yml" - import_playbook: "firewall.yml" +- import_playbook: "fail2ban.yml" - import_playbook: "tuned.yml" - import_playbook: "sysctl.yml" - import_playbook: "ip-routing.yml" diff --git a/doc/source/configuration/reference/hosts.rst b/doc/source/configuration/reference/hosts.rst index b0ed019a3..da2a1467f 100644 --- a/doc/source/configuration/reference/hosts.rst +++ b/doc/source/configuration/reference/hosts.rst @@ -691,6 +691,45 @@ follows: Note that despite the name, this will not actively enable UFW. It may do so in the future. +Fail2Ban +======== +@tags: + | ``fail2ban`` + +Fail2Ban can be used to ban IP addresses that show malicious signs, such as +ones that conduct too many failed login attempts. Kayobe can install and configure +Fail2Ban on hosts. + +In order to use fail2ban, it is important to note that the user should enable +``dnf_install_epel`` in their configuration when using Rocky Linux or CentOS. + +The following variables can be used to set whether to enable fail2ban: + +* ``ansible_control_fail2ban_enabled`` +* ``seed_hypervisor_fail2ban_enabled`` +* ``seed_fail2ban_enabled`` +* ``infra_vm_fail2ban_enabled`` +* ``compute_fail2ban_enabled`` +* ``controller_fail2ban_enabled`` +* ``monitoring_fail2ban_enabled`` +* ``storage_fail2ban_enabled`` + +The following example demonstrates how to enable fail2ban on controllers. + +.. code-block:: yaml + + controller_fail2ban_enabled: true + +The following should be added in the configuration file to set the default +fail2ban sshd jail: + +.. code-block:: yaml + + fail2ban_jail_configuration: + - option: enabled + value: "true" + section: sshd + .. _configuration-hosts-tuned: Tuned diff --git a/etc/kayobe/ansible-control.yml b/etc/kayobe/ansible-control.yml index cd6b563d5..5232d4470 100644 --- a/etc/kayobe/ansible-control.yml +++ b/etc/kayobe/ansible-control.yml @@ -111,6 +111,21 @@ # - state: enabled #ansible_control_firewalld_rules: +############################################################################### +# Ansible control host fail2ban configuration. + +# Whether to install and enable fail2ban. +#ansible_control_fail2ban_enabled: + +# List of fail2ban jails for the Ansible control host. +#ansible_control_fail2ban_jail_configuration: + +# List of default fail2ban jails for the Ansible control host. +#ansible_control_fail2ban_jail_configuration_default: + +# List of extra fail2ban jails for the Ansible control host. +#ansible_control_fail2ban_jail_configuration_extra: + ############################################################################### # Ansible control host swap configuration. diff --git a/etc/kayobe/compute.yml b/etc/kayobe/compute.yml index f8a7deb29..5240624f1 100644 --- a/etc/kayobe/compute.yml +++ b/etc/kayobe/compute.yml @@ -159,6 +159,21 @@ # - state: enabled #compute_firewalld_rules: +############################################################################### +# Compute node fail2ban configuration. + +# Whether to install and enable fail2ban. +#compute_fail2ban_enabled: + +# List of fail2ban jails for the compute node. +#compute_fail2ban_jail_configuration: + +# List of default fail2ban jails for the compute node. +#compute_fail2ban_jail_configuration_default: + +# List of extra fail2ban jails for the compute node. +#compute_fail2ban_jail_configuration_extra: + ############################################################################### # Compute node host libvirt configuration. diff --git a/etc/kayobe/controllers.yml b/etc/kayobe/controllers.yml index 1cc50c30b..7dd3199f2 100644 --- a/etc/kayobe/controllers.yml +++ b/etc/kayobe/controllers.yml @@ -185,6 +185,21 @@ # - state: enabled #controller_firewalld_rules: +############################################################################### +# Controller node fail2ban configuration. + +# Whether to install and enable fail2ban. +#controller_fail2ban_enabled: + +# List of fail2ban jails for the controller node. +#controller_fail2ban_jail_configuration: + +# List of default fail2ban jails for the controller node. +#controller_fail2ban_jail_configuration_default: + +# List of extra fail2ban jails for the controller node. +#controller_fail2ban_jail_configuration_extra: + ############################################################################### # Controller node swap configuration. diff --git a/etc/kayobe/infra-vms.yml b/etc/kayobe/infra-vms.yml index 59147aac7..50362e59d 100644 --- a/etc/kayobe/infra-vms.yml +++ b/etc/kayobe/infra-vms.yml @@ -188,6 +188,21 @@ # - state: enabled #infra_vm_firewalld_rules: +############################################################################### +# Infrastructure VM node fail2ban configuration. + +# Whether to install and enable fail2ban. +#infra_vm_fail2ban_enabled: + +# List of fail2ban jails for the infrastructure VM node. +#infra_vm_fail2ban_jail_configuration: + +# List of default fail2ban jails for the infrastructure VM node. +#infra_vm_fail2ban_jail_configuration_default: + +# List of extra fail2ban jails for the infrastructure VM node. +#infra_vm_fail2ban_jail_configuration_extra: + ############################################################################### # Infrastructure VM node swap configuration. diff --git a/etc/kayobe/monitoring.yml b/etc/kayobe/monitoring.yml index 8c63bd589..463b3090b 100644 --- a/etc/kayobe/monitoring.yml +++ b/etc/kayobe/monitoring.yml @@ -117,6 +117,21 @@ # - state: enabled #monitoring_firewalld_rules: +############################################################################### +# Monitoring node fail2ban configuration. + +# Whether to install and enable fail2ban. +#monitoring_fail2ban_enabled: + +# List of fail2ban jails for the monitoring node. +#monitoring_fail2ban_jail_configuration: + +# List of default fail2ban jails for the monitoring node. +#monitoring_fail2ban_jail_configuration_default: + +# List of extra fail2ban jails for the monitoring node. +#monitoring_fail2ban_jail_configuration_extra: + ############################################################################### # Monitoring node swap configuration. diff --git a/etc/kayobe/seed-hypervisor.yml b/etc/kayobe/seed-hypervisor.yml index 5905eefe0..8a063703b 100644 --- a/etc/kayobe/seed-hypervisor.yml +++ b/etc/kayobe/seed-hypervisor.yml @@ -136,6 +136,21 @@ # - state: enabled #seed_hypervisor_firewalld_rules: +############################################################################### +# Seed hypervisor node fail2ban configuration. + +# Whether to install and enable fail2ban. +#seed_hypervisor_fail2ban_enabled: + +# List of fail2ban jails for the seed hypervisor node. +#seed_hypervisor_fail2ban_jail_configuration: + +# List of default fail2ban jails for the seed hypervisor node. +#seed_hypervisor_fail2ban_jail_configuration_default: + +# List of extra fail2ban jails for the seed hypervisor node. +#seed_hypervisor_fail2ban_jail_configuration_extra: + ############################################################################### # Seed hypervisor node swap configuration. diff --git a/etc/kayobe/seed.yml b/etc/kayobe/seed.yml index 7a335ea2f..46f1cddc6 100644 --- a/etc/kayobe/seed.yml +++ b/etc/kayobe/seed.yml @@ -143,6 +143,21 @@ # - state: enabled #seed_firewalld_rules: +############################################################################### +# Seed node fail2ban configuration. + +# Whether to install and enable fail2ban. +#seed_fail2ban_enabled: + +# List of fail2ban jails for the seed node. +#seed_fail2ban_jail_configuration: + +# List of default fail2ban jails for the seed node. +#seed_fail2ban_jail_configuration_default: + +# List of extra fail2ban jails for the seed node. +#seed_fail2ban_jail_configuration_extra: + ############################################################################### # Seed node swap configuration. diff --git a/etc/kayobe/storage.yml b/etc/kayobe/storage.yml index 170ed2ab2..53376b4ef 100644 --- a/etc/kayobe/storage.yml +++ b/etc/kayobe/storage.yml @@ -147,6 +147,21 @@ # - state: enabled #storage_firewalld_rules: +############################################################################### +# Storage node fail2ban configuration. + +# Whether to install and enable fail2ban. +#storage_fail2ban_enabled: + +# List of fail2ban jails for the storage node. +#storage_fail2ban_jail_configuration: + +# List of default fail2ban jails for the storage node. +#storage_fail2ban_jail_configuration_default: + +# List of extra fail2ban jails for the storage node. +#storage_fail2ban_jail_configuration_extra: + ############################################################################### # Storage node swap configuration. diff --git a/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 index d2e75f779..06933a1d0 100644 --- a/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 +++ b/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 @@ -212,3 +212,9 @@ controller_swap: # Generate a password for libvirt SASL authentication. compute_libvirt_sasl_password: "{% raw %}{{ lookup('password', '/tmp/libvirt-sasl-password') }}{% endraw %}" + +# Test fail2ban configuration +{% if fail2ban_enabled | bool %} +dnf_use_local_mirror: true +controller_fail2ban_enabled: true +{% endif %} diff --git a/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py b/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py index 442e39f80..f8e394909 100644 --- a/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py +++ b/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py @@ -344,6 +344,16 @@ def test_firewalld_rules(host): assert expected_line in info assert expected_line in perm_info +def test_fail2ban_running(host): + assert host.package("fail2ban").is_installed + assert host.service("fail2ban.service").is_enabled + assert host.service("fail2ban.service").is_running + +def test_fail2ban_default_jail_config(host): + # verify that sshd jail is enabled by default + status = host.check_output("sudo fail2ban-client status sshd") + status = status.splitlines() + assert "Status for the jail: sshd" in status @pytest.mark.skipif(not _is_dnf(), reason="SELinux only supported on CentOS/Rocky") diff --git a/releasenotes/notes/support-fail2ban-b25a26d66cfbcaaf.yaml b/releasenotes/notes/support-fail2ban-b25a26d66cfbcaaf.yaml new file mode 100644 index 000000000..975239e50 --- /dev/null +++ b/releasenotes/notes/support-fail2ban-b25a26d66cfbcaaf.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Adds support for installing and configuring fail2ban. See the docs + http://docs.openstack.org/kayobe/latest/configuration/reference/hosts.html#fail2ban + for more information. diff --git a/requirements.yml b/requirements.yml index 47422251c..5974a41a5 100644 --- a/requirements.yml +++ b/requirements.yml @@ -40,6 +40,8 @@ roles: version: v0.2.13 - src: mrlesmithjr.mdadm version: v0.1.9 + - src: robertdebock.fail2ban + version: 5.0.6 - src: singleplatform-eng.users version: v1.2.6 - src: stackhpc.drac diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index ed98ae2dc..08a4328ee 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -313,11 +313,15 @@ name: kayobe-overcloud-host-configure-rocky10 parent: kayobe-overcloud-host-configure-base nodeset: kayobe-rocky10 + vars: + fail2ban_enabled: true - job: name: kayobe-overcloud-host-configure-ubuntu-noble parent: kayobe-overcloud-host-configure-base nodeset: kayobe-ubuntu-noble + vars: + fail2ban_enabled: true - job: name: kayobe-seed-upgrade-base From 8acf6a7b52a201364e1a50e47cbcce4352f271c2 Mon Sep 17 00:00:00 2001 From: Matt Crees Date: Tue, 19 Nov 2024 16:09:13 +0000 Subject: [PATCH 184/187] Deprecate kolla-tags and kolla-limit Deprecates the options ``--kolla-tags``, ``--kolla-skip-tags``, and ``kolla-limit``. Regular ``--tags``, ``--skip-tags``, and ``--limit`` will now be passed directly to the Kolla-Ansible invocations. The ``kayobe-generate-config`` tag is added to ``kolla-ansible.yml`` and ``kolla-openstack.yml``. It is always called, to allow for limiting to OpenStack services with just one tag, e.g. ``kayobe overcloud service deploy -t nova`. You can still skip this with ``--skip-tags kayobe-generate-config``. Also adds the ``bifrost`` tag to ``kolla-bifrost.yml``, so that we can easily limit to bifrost in the seed service deploy. As there is no clean way to handle some of Ansible's "special" tags like ``none``, using both regular and kolla tags/limits together is no longer allowed. Change-Id: I6f466305d49031da4d048f8fa7d2625b261a6fa0 Signed-off-by: Matt Crees Co-Authored-By: Will Szumski --- ansible/kayobe-target-venv.yml | 4 +- ansible/kolla-ansible.yml | 4 + ansible/kolla-bifrost.yml | 1 + ansible/kolla-openstack.yml | 3 + doc/source/administration/overcloud.rst | 29 +++---- doc/source/administration/seed.rst | 7 +- doc/source/configuration/reference/vgpu.rst | 4 +- doc/source/deployment.rst | 7 +- doc/source/upgrading.rst | 10 ++- doc/source/usage.rst | 22 ++--- kayobe/ansible.py | 2 + kayobe/cli/commands.py | 85 ++++++++++++++++--- kayobe/cmd/kayobe.py | 33 +++++++ kayobe/kolla_ansible.py | 28 +++--- kayobe/tests/unit/test_ansible.py | 6 +- kayobe/tests/unit/test_kolla_ansible.py | 12 +-- ...ags-and-kolla-limits-254faef5584176e1.yaml | 22 +++++ 17 files changed, 209 insertions(+), 70 deletions(-) create mode 100644 releasenotes/notes/drop-kolla-tags-and-kolla-limits-254faef5584176e1.yaml diff --git a/ansible/kayobe-target-venv.yml b/ansible/kayobe-target-venv.yml index 53005c86e..4d4ae092f 100644 --- a/ansible/kayobe-target-venv.yml +++ b/ansible/kayobe-target-venv.yml @@ -26,7 +26,9 @@ filter: "{{ kayobe_ansible_setup_filter }}" gather_subset: "{{ kayobe_ansible_setup_gather_subset }}" when: - - ansible_facts is undefined or ansible_facts is falsy + #TODO(mattcrees): Enable this check once this bug is fixed: + # https://bugs.launchpad.net/kayobe/+bug/2144548 + # - ansible_facts is undefined or ansible_facts is falsy - kayobe_virtualenv is defined register: gather_facts_result # Before any facts are gathered, ansible doesn't know about diff --git a/ansible/kolla-ansible.yml b/ansible/kolla-ansible.yml index ec6c4e173..5a0505e52 100644 --- a/ansible/kolla-ansible.yml +++ b/ansible/kolla-ansible.yml @@ -9,6 +9,7 @@ tags: - kolla-ansible - config-validation + - kayobe-generate-config tasks: - name: Validate serial console configuration block: @@ -26,6 +27,7 @@ hosts: localhost tags: - kolla-ansible + - kayobe-generate-config gather_facts: false pre_tasks: - block: @@ -113,6 +115,7 @@ - config - config-validation - kolla-ansible + - kayobe-generate-config gather_facts: False tasks: - name: Set Kolla Ansible host variables @@ -142,6 +145,7 @@ - config - config-validation - kolla-ansible + - kayobe-generate-config gather_facts: False tasks: - name: Set Kolla Ansible host variables diff --git a/ansible/kolla-bifrost.yml b/ansible/kolla-bifrost.yml index 87023deb5..88b7b4a1b 100644 --- a/ansible/kolla-bifrost.yml +++ b/ansible/kolla-bifrost.yml @@ -3,6 +3,7 @@ hosts: localhost tags: - kolla-bifrost + - bifrost roles: - role: kolla-bifrost diff --git a/ansible/kolla-openstack.yml b/ansible/kolla-openstack.yml index ea2aec967..a2c1152f0 100644 --- a/ansible/kolla-openstack.yml +++ b/ansible/kolla-openstack.yml @@ -7,6 +7,7 @@ - config-validation - kolla-ansible - kolla-openstack + - kayobe-generate-config tasks: - name: Create controllers group with ironic enabled group_by: @@ -19,6 +20,7 @@ tags: - kolla-ansible - kolla-openstack + - kayobe-generate-config vars: # These are the filenames generated by overcloud-ipa-build.yml. ipa_image_name: "ipa" @@ -57,6 +59,7 @@ tags: - kolla-ansible - kolla-openstack + - kayobe-generate-config vars: switch_type_to_device_type: arista: netmiko_arista_eos diff --git a/doc/source/administration/overcloud.rst b/doc/source/administration/overcloud.rst index 13080a33f..f27187d22 100644 --- a/doc/source/administration/overcloud.rst +++ b/doc/source/administration/overcloud.rst @@ -15,7 +15,7 @@ necessary to update these prior to running a package update. To do this, update the configuration in ``${KAYOBE_CONFIG_PATH}/dnf.yml`` and run the following command:: - (kayobe) $ kayobe overcloud host configure --tags dnf --kolla-tags none + (kayobe) $ kayobe overcloud host configure --tags dnf Package Update -------------- @@ -80,10 +80,9 @@ improved by specifying Ansible tags to limit the tasks run in kayobe and/or kolla-ansible's playbooks. This may require knowledge of the inner workings of these tools but in general, kolla-ansible tags the play used to configure each service by the name of that service. For example: ``nova``, ``neutron`` or -``ironic``. Use ``-t`` or ``--tags`` to specify kayobe tags and ``-kt`` or -``--kolla-tags`` to specify kolla-ansible tags. For example:: +``ironic``. Use ``-t`` or ``--tags`` to specify tags. For example:: - (kayobe) $ kayobe overcloud service reconfigure --tags config --kolla-tags nova,ironic + (kayobe) $ kayobe overcloud service reconfigure --tags nova,ironic Deploying Updated Container Images ================================== @@ -105,10 +104,9 @@ improved by specifying Ansible tags to limit the tasks run in kayobe and/or kolla-ansible's playbooks. This may require knowledge of the inner workings of these tools but in general, kolla-ansible tags the play used to configure each service by the name of that service. For example: ``nova``, ``neutron`` or -``ironic``. Use ``-t`` or ``--tags`` to specify kayobe tags and ``-kt`` or -``--kolla-tags`` to specify kolla-ansible tags. For example:: +``ironic``. Use ``-t`` or ``--tags`` to specify tags. For example:: - (kayobe) $ kayobe overcloud service deploy containers --kolla-tags nova,ironic + (kayobe) $ kayobe overcloud service deploy containers --tags nova,ironic Upgrading Containerised Services ================================ @@ -126,9 +124,9 @@ To upgrade the containerised control plane services:: (kayobe) $ kayobe overcloud service upgrade As for the reconfiguration command, it is possible to specify tags for Kayobe -and/or kolla-ansible:: +and kolla-ansible:: - (kayobe) $ kayobe overcloud service upgrade --tags config --kolla-tags keystone + (kayobe) $ kayobe overcloud service upgrade --tags keystone Running Prechecks ================= @@ -137,10 +135,10 @@ Sometimes it may be useful to run prechecks without deploying services:: (kayobe) $ kayobe overcloud service prechecks -As for other similar commands, it is possible to specify tags for Kayobe and/or +As for other similar commands, it is possible to specify tags for Kayobe and kolla-ansible:: - (kayobe) $ kayobe overcloud service upgrade --tags config --kolla-tags keystone + (kayobe) $ kayobe overcloud service upgrade --tags keystone Stopping the Overcloud Services =============================== @@ -156,12 +154,11 @@ To stop the overcloud services:: It should be noted that this state is persistent - containers will remain stopped after a reboot of the host on which they are running. -It is possible to limit the operation to particular hosts via -``--kolla-limit``, or to particular services via ``--kolla-tags``. It is also -possible to avoid stopping the common containers via ``--kolla-skip-tags -common``. For example: +It is possible to limit the operation to particular hosts via ``--limit``, or +to particular services via ``--tags``. It is also possible to avoid stopping +the common containers via ``--skip-tags common``. For example: - (kayobe) $ kayobe overcloud service stop --kolla-tags glance,nova --kolla-skip-tags common + (kayobe) $ kayobe overcloud service stop --tags glance,nova --skip-tags common Destroying the Overcloud Services ================================= diff --git a/doc/source/administration/seed.rst b/doc/source/administration/seed.rst index b0bf5d0d7..0e2f8ba35 100644 --- a/doc/source/administration/seed.rst +++ b/doc/source/administration/seed.rst @@ -31,10 +31,7 @@ To destroy the seed services:: This can optionally be used with a tag:: - (kayobe) $ kayobe seed service destroy --yes-i-really-really-mean-it -kt none -t docker-registry - -Care must be taken to set both kayobe and kolla tags to avoid accidentally -destroying other services. + (kayobe) $ kayobe seed service destroy --yes-i-really-really-mean-it -t docker-registry Updating Packages ================= @@ -49,7 +46,7 @@ necessary to update these prior to running a package update. To do this, update the configuration in ``${KAYOBE_CONFIG_PATH}/dnf.yml`` and run the following command:: - (kayobe) $ kayobe seed host configure --tags dnf --kolla-tags none + (kayobe) $ kayobe seed host configure --tags dnf Package Update -------------- diff --git a/doc/source/configuration/reference/vgpu.rst b/doc/source/configuration/reference/vgpu.rst index 693c89d21..fcfe6cef9 100644 --- a/doc/source/configuration/reference/vgpu.rst +++ b/doc/source/configuration/reference/vgpu.rst @@ -226,7 +226,7 @@ To apply the configuration to Nova: .. code:: shell - (kayobe) $ kayobe overcloud service deploy -kt nova + (kayobe) $ kayobe overcloud service deploy -t nova OpenStack flavors ================= @@ -307,4 +307,4 @@ Reconfigure nova to match the change: .. code:: shell - (kayobe) $ kayobe overcloud service reconfigure -kt nova --kolla-limit computegpu000 --skip-prechecks + (kayobe) $ kayobe overcloud service reconfigure -t nova --limit computegpu000 --skip-prechecks diff --git a/doc/source/deployment.rst b/doc/source/deployment.rst index c39d0fe3c..5148700a8 100644 --- a/doc/source/deployment.rst +++ b/doc/source/deployment.rst @@ -217,9 +217,10 @@ After this command has completed the seed services will be active. .. note:: - Bifrost deployment behaviour is split between Kayobe and Kolla-Ansible. As - such, you should use both ``--tags kolla-bifrost`` and ``--kolla-tags - bifrost`` if you want to limit to Bifrost deployment. + You can use ``--tags bifrost`` if you want to limit to just the Bifrost + deployment. Note however that using tags is not tested in either Kayobe or + Kolla-Ansible CI, and as such should only be used if you know what you're + doing. Proceed with caution. .. seealso:: diff --git a/doc/source/upgrading.rst b/doc/source/upgrading.rst index bbe6b1d96..b0e221aca 100644 --- a/doc/source/upgrading.rst +++ b/doc/source/upgrading.rst @@ -450,7 +450,13 @@ To upgrade the containerised control plane services:: (kayobe) $ kayobe overcloud service upgrade -It is possible to specify tags for Kayobe and/or kolla-ansible to restrict the +It is possible to specify tags for Kayobe and kolla-ansible to restrict the scope of the upgrade:: - (kayobe) $ kayobe overcloud service upgrade --tags config --kolla-tags keystone + (kayobe) $ kayobe overcloud service upgrade --tags keystone + +.. note:: + + Using tags is not tested in either Kayobe or Kolla-Ansible CI, and as such + should only be used if you know what you're doing. Proceed with caution. + diff --git a/doc/source/usage.rst b/doc/source/usage.rst index 499a1b5ee..94269f959 100644 --- a/doc/source/usage.rst +++ b/doc/source/usage.rst @@ -63,12 +63,11 @@ Limiting Hosts Sometimes it may be necessary to limit execution of kayobe or kolla-ansible plays to a subset of the hosts. The ``--limit `` argument allows the -kayobe ansible hosts to be limited. The ``--kolla-limit `` argument -allows the kolla-ansible hosts to be limited. These two options may be -combined in a single command. In both cases, the argument provided should be +kayobe and kolla-ansible hosts to be limited. The argument provided should be an `Ansible host pattern `_, and will -ultimately be passed to ``ansible-playbook`` as a ``--limit`` argument. +ultimately be passed to ``ansible-playbook`` for both kayobe and kolla-ansible +as a ``--limit`` argument. .. _usage-tags: @@ -77,12 +76,15 @@ Tags `Ansible tags `_ provide a useful mechanism for executing a subset of the plays or tasks in a -playbook. The ``--tags `` argument allows execution of kayobe ansible -playbooks to be limited to matching plays and tasks. The ``--kolla-tags -`` argument allows execution of kolla-ansible ansible playbooks to be -limited to matching plays and tasks. The ``--skip-tags `` and -``--kolla-skip-tags `` arguments allow for avoiding execution of matching -plays and tasks. +playbook. The ``--tags `` argument allows execution of kayobe and +kolla-ansible playbooks to be limited to matching plays and tasks. The +``--skip-tags `` argument allows for avoiding execution of matching plays +and tasks. + +.. note:: + + Using tags is not tested in either Kayobe or Kolla-Ansible CI, and as such + should only be used if you know what you're doing. Proceed with caution. Check and diff mode ------------------- diff --git a/kayobe/ansible.py b/kayobe/ansible.py index caa6df7b1..6abd416a3 100644 --- a/kayobe/ansible.py +++ b/kayobe/ansible.py @@ -213,6 +213,8 @@ def build_args(parsed_args, playbooks, cmd += ["--skip-tags", parsed_args.skip_tags] if parsed_args.tags or tags: all_tags = [t for t in [parsed_args.tags, tags] if t] + # Always run kayobe-generate-config (unless the tag is skipped). + all_tags += ["kayobe-generate-config"] cmd += ["--tags", ",".join(all_tags)] cmd += playbooks return cmd diff --git a/kayobe/cli/commands.py b/kayobe/cli/commands.py index 4dbcb4cdc..a0213be70 100644 --- a/kayobe/cli/commands.py +++ b/kayobe/cli/commands.py @@ -14,6 +14,7 @@ import glob import json +import logging import os import re import sys @@ -30,6 +31,8 @@ # This is set to an arbitrary large number to simplify the sorting logic DEFAULT_SEQUENCE_NUMBER = sys.maxsize +LOG = logging.getLogger(__name__) + def _build_playbook_list(*playbooks): """Return a list of names of playbook files given their basenames.""" @@ -115,6 +118,31 @@ def generate_kolla_ansible_config(self, parsed_args, install=False, self.run_kayobe_playbooks(parsed_args, playbooks, ignore_limit=True, check=False) + def handle_kolla_tags_limits_deprecation(self, parsed_args): + if (parsed_args.kolla_limit or parsed_args.kolla_tags or + parsed_args.kolla_skip_tags): + self.app.LOG.warning("The use of --kolla-tags, --kolla-limit, and " + "--kolla-skip-tags is deprecated. Please " + "switch to just using --tags, --limit, or " + "--skip-tags, these are now passed into " + "kolla-ansible too. Kolla tags/limit will be " + "removed in the next release.") + if parsed_args.limit and parsed_args.kolla_limit: + self.app.LOG.error("You can no longer use both --limit and " + "--kolla-limit at the same time. Please switch " + "to just using --limit") + sys.exit(1) + if parsed_args.tags and parsed_args.kolla_tags: + self.app.LOG.error("You can no longer use both --tags and " + "--kolla-tags at the same time. Please switch " + "to just using --tags") + sys.exit(1) + if parsed_args.skip_tags and parsed_args.kolla_skip_tags: + self.app.LOG.error("You can no longer use both --skip-tags and " + "--kolla-skip-tags at the same time. Please " + "switch to just using --skip-tags") + sys.exit(1) + class KollaAnsibleMixin(object): """Mixin class for commands running Kolla Ansible.""" @@ -277,6 +305,7 @@ def get_parser(self, prog_name): def take_action(self, parsed_args): self.app.LOG.debug("Bootstrapping Kayobe Ansible control host") + self.handle_kolla_tags_limits_deprecation(parsed_args) ansible.install_galaxy_roles(parsed_args) ansible.install_galaxy_collections(parsed_args) playbooks = _build_playbook_list("bootstrap") @@ -503,6 +532,8 @@ def add_kolla_ansible_args(self, group): def take_action(self, parsed_args): self.app.LOG.debug("Running Kolla Ansible command") + self.handle_kolla_tags_limits_deprecation(parsed_args) + # First prepare configuration. self.generate_kolla_ansible_config(parsed_args) @@ -683,6 +714,7 @@ class SeedVMProvision(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin, def take_action(self, parsed_args): self.app.LOG.debug("Provisioning seed VM") + self.handle_kolla_tags_limits_deprecation(parsed_args) self.run_kayobe_playbook(parsed_args, _get_playbook_path("ip-allocation"), limit="seed") @@ -701,6 +733,7 @@ class SeedVMDeprovision(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin, def take_action(self, parsed_args): self.app.LOG.debug("Deprovisioning seed VM") + self.handle_kolla_tags_limits_deprecation(parsed_args) self.run_kayobe_playbook(parsed_args, _get_playbook_path("seed-vm-deprovision")) @@ -836,6 +869,7 @@ class SeedServiceDeploy(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin, def take_action(self, parsed_args): self.app.LOG.debug("Deploying seed services") + self.handle_kolla_tags_limits_deprecation(parsed_args) playbooks = _build_playbook_list( "seed-manage-containers") extra_vars = {"kayobe_action": "deploy"} @@ -870,6 +904,7 @@ def take_action(self, parsed_args): "you understand this.") sys.exit(1) self.app.LOG.debug("Destroying seed services") + self.handle_kolla_tags_limits_deprecation(parsed_args) self.generate_kolla_ansible_config(parsed_args, service_config=False, bifrost_config=False) extra_args = ["--yes-i-really-really-mean-it"] @@ -911,6 +946,7 @@ class SeedServiceUpgrade(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin, def take_action(self, parsed_args): self.app.LOG.debug("Upgrading seed services") + self.handle_kolla_tags_limits_deprecation(parsed_args) playbooks = _build_playbook_list( "seed-manage-containers") extra_vars = {"kayobe_action": "deploy"} @@ -1278,6 +1314,8 @@ class OvercloudFactsGather(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin, def take_action(self, parsed_args): self.app.LOG.debug("Gathering overcloud host facts") + self.handle_kolla_tags_limits_deprecation(parsed_args) + # Gather facts for Kayobe. playbooks = _build_playbook_list("overcloud-facts-gather") self.run_kayobe_playbooks(parsed_args, playbooks) @@ -1415,6 +1453,8 @@ def get_parser(self, prog_name): def take_action(self, parsed_args): self.app.LOG.debug("Performing overcloud database backup") + self.handle_kolla_tags_limits_deprecation(parsed_args) + # First prepare configuration. self.generate_kolla_ansible_config(parsed_args, service_config=False) @@ -1443,6 +1483,8 @@ def take_action(self, parsed_args): self.app.LOG.debug("Performing overcloud database recovery") extra_vars = {} + self.handle_kolla_tags_limits_deprecation(parsed_args) + # First prepare configuration. self.generate_kolla_ansible_config(parsed_args, service_config=True) @@ -1480,6 +1522,8 @@ def get_parser(self, prog_name): def take_action(self, parsed_args): self.app.LOG.debug("Generating overcloud service configuration") + self.handle_kolla_tags_limits_deprecation(parsed_args) + # First prepare configuration. self.generate_kolla_ansible_config(parsed_args) @@ -1511,6 +1555,7 @@ def get_parser(self, prog_name): def take_action(self, parsed_args): self.app.LOG.debug("Validating overcloud service configuration") + self.handle_kolla_tags_limits_deprecation(parsed_args) extra_vars = {} if parsed_args.output_dir: extra_vars[ @@ -1575,8 +1620,8 @@ class OvercloudServiceDeploy(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin, * Configure and deploy kayobe extra services. * Generate openrc files for the admin user. - This can be used in conjunction with the --tags and --kolla-tags arguments - to deploy specific services. + This can be used in conjunction with the --tags argument to deploy specific + services. """ def get_parser(self, prog_name): @@ -1589,6 +1634,8 @@ def get_parser(self, prog_name): def take_action(self, parsed_args): self.app.LOG.debug("Deploying overcloud services") + self.handle_kolla_tags_limits_deprecation(parsed_args) + # First prepare configuration. self.generate_kolla_ansible_config(parsed_args) @@ -1624,8 +1671,8 @@ class OvercloudServiceDeployContainers(KollaAnsibleMixin, KayobeAnsibleMixin, * Perform a kolla-ansible deployment of the overcloud service containers. * Configure and deploy kayobe extra services. - This can be used in conjunction with the --tags and --kolla-tags arguments - to deploy specific services. + This can be used in conjunction with the --tags argument to deploy specific + services. """ def get_parser(self, prog_name): @@ -1639,6 +1686,8 @@ def get_parser(self, prog_name): def take_action(self, parsed_args): self.app.LOG.debug("Deploying overcloud services (containers only)") + self.handle_kolla_tags_limits_deprecation(parsed_args) + # First prepare configuration. self.generate_kolla_ansible_config(parsed_args) @@ -1665,13 +1714,15 @@ class OvercloudServicePrechecks(KollaAnsibleMixin, KayobeAnsibleMixin, * Perform kolla-ansible prechecks to verify the system state for deployment. - This can be used in conjunction with the --tags and --kolla-tags arguments - to check specific services. + This can be used in conjunction with the --tags argument to check specific + services. """ def take_action(self, parsed_args): self.app.LOG.debug("Running overcloud prechecks") + self.handle_kolla_tags_limits_deprecation(parsed_args) + # First prepare configuration. self.generate_kolla_ansible_config(parsed_args) @@ -1699,8 +1750,8 @@ class OvercloudServiceReconfigure(KollaAnsibleMixin, KayobeAnsibleMixin, * Configure and deploy kayobe extra services. * Generate openrc files for the admin user. - This can be used in conjunction with the --tags and --kolla-tags arguments - to reconfigure specific services. + This can be used in conjunction with the --tags argument to reconfigure + specific services. """ def get_parser(self, prog_name): @@ -1713,6 +1764,8 @@ def get_parser(self, prog_name): def take_action(self, parsed_args): self.app.LOG.debug("Reconfiguring overcloud services") + self.handle_kolla_tags_limits_deprecation(parsed_args) + # First prepare configuration. self.generate_kolla_ansible_config(parsed_args) @@ -1746,8 +1799,8 @@ class OvercloudServiceStop(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin, * Perform a kolla-ansible stop of the overcloud services. * Stop kayobe extra services. - This can be used in conjunction with the --tags and --kolla-tags arguments - to stop specific services. + This can be used in conjunction with the --tags argument to stop specific + services. """ def get_parser(self, prog_name): @@ -1768,6 +1821,8 @@ def take_action(self, parsed_args): self.app.LOG.debug("Stopping overcloud services") + self.handle_kolla_tags_limits_deprecation(parsed_args) + # First prepare configuration. self.generate_kolla_ansible_config(parsed_args) @@ -1795,8 +1850,8 @@ class OvercloudServiceUpgrade(KollaAnsibleMixin, KayobeAnsibleMixin, * Configure and upgrade kayobe extra services. * Regenerate openrc files for the admin user. - This can be used in conjunction with the --tags and --kolla-tags arguments - to upgrade specific services. + This can be used in conjunction with the --tags argument to upgrade + specific services. """ def get_parser(self, prog_name): @@ -1809,6 +1864,8 @@ def get_parser(self, prog_name): def take_action(self, parsed_args): self.app.LOG.debug("Upgrading overcloud services") + self.handle_kolla_tags_limits_deprecation(parsed_args) + # First prepare configuration. self.generate_kolla_ansible_config(parsed_args, install=True) @@ -1860,6 +1917,8 @@ def take_action(self, parsed_args): self.app.LOG.debug("Destroying overcloud services") + self.handle_kolla_tags_limits_deprecation(parsed_args) + # First prepare configuration. self.generate_kolla_ansible_config(parsed_args) @@ -1882,6 +1941,8 @@ class OvercloudContainerImagePull(KayobeAnsibleMixin, KollaAnsibleMixin, def take_action(self, parsed_args): self.app.LOG.debug("Pulling overcloud container images") + self.handle_kolla_tags_limits_deprecation(parsed_args) + # First prepare configuration. self.generate_kolla_ansible_config(parsed_args, service_config=False) diff --git a/kayobe/cmd/kayobe.py b/kayobe/cmd/kayobe.py index 5e3fadf15..25f5f44ec 100644 --- a/kayobe/cmd/kayobe.py +++ b/kayobe/cmd/kayobe.py @@ -18,6 +18,31 @@ from kayobe import version +import logging + + +class CustomFormatter(logging.Formatter): + + grey = "\x1b[38;20m" + yellow = "\x1b[33;20m" + red = "\x1b[31;20m" + bold_red = "\x1b[31;1m" + reset = "\x1b[0m" + format = "[%(levelname)s]: %(message)s" + + FORMATS = { + logging.DEBUG: grey + format + reset, + logging.INFO: grey + format + reset, + logging.WARNING: yellow + format + reset, + logging.ERROR: red + format + reset, + logging.CRITICAL: bold_red + format + reset + } + + def format(self, record): + log_fmt = self.FORMATS.get(record.levelno) + formatter = logging.Formatter(log_fmt) + return formatter.format(record) + class KayobeApp(App): @@ -33,6 +58,14 @@ def __init__(self): def initialize_app(self, argv): self.LOG.debug('initialize_app') + def configure_logging(self): + super().configure_logging() + root_logger = logging.getLogger('') + # Override log formatter + for handler in root_logger.handlers: + if isinstance(handler, logging.StreamHandler): + handler.setFormatter(CustomFormatter()) + def prepare_to_run_command(self, cmd): self.LOG.debug('prepare_to_run_command %s', cmd.__class__.__name__) diff --git a/kayobe/kolla_ansible.py b/kayobe/kolla_ansible.py index 7b5c990c9..7304fe82d 100644 --- a/kayobe/kolla_ansible.py +++ b/kayobe/kolla_ansible.py @@ -54,16 +54,20 @@ def add_args(parser): "Kolla Ansible" % (CONFIG_PATH_ENV, DEFAULT_CONFIG_PATH), action='append') + # TODO(mattcrees): Remove kl, kt, and kolla-skip-tags in 2026.2. parser.add_argument("-kl", "--kolla-limit", metavar="SUBSET", - help="further limit selected hosts to an additional " + help="[DEPRECATED: Please use -l or --limit instead] " + "further limit selected hosts to an additional " "pattern") parser.add_argument("-kp", "--kolla-playbook", metavar="PLAYBOOK", help="path to Ansible playbook file") parser.add_argument("--kolla-skip-tags", metavar="TAGS", - help="only run plays and tasks whose tags do not " - "match these values in Kolla Ansible") + help="[DEPRECATED: Please use -skip-tags instead] " + "only run plays and tasks whose tags " + "do not match these values in Kolla Ansible") parser.add_argument("-kt", "--kolla-tags", metavar="TAGS", - help="only run plays and tasks tagged with these " + help="[DEPRECATED: Please use -t or --tags instead] " + "only run plays and tasks tagged with these " "values in Kolla Ansible") parser.add_argument("--kolla-venv", metavar="VENV", default=default_venv, help="path to virtualenv where Kolla Ansible is " @@ -162,13 +166,17 @@ def build_args(parsed_args, command, inventory_filename, extra_vars=None, # Quote and escape variables originating within the python CLI. extra_var_value = utils.quote_and_escape(extra_var_value) cmd += ["-e", "%s=%s" % (extra_var_name, extra_var_value)] - if parsed_args.kolla_limit or limit: - limit_arg = utils.intersect_limits(parsed_args.kolla_limit, limit) + if parsed_args.limit or parsed_args.kolla_limit or limit: + limit_arg = utils.intersect_limits(parsed_args.limit, limit) + limit_arg = utils.intersect_limits(parsed_args.kolla_limit, limit_arg) cmd += ["--limit", utils.quote_and_escape(limit_arg)] - if parsed_args.kolla_skip_tags: - cmd += ["--skip-tags", parsed_args.kolla_skip_tags] - if parsed_args.kolla_tags or tags: - all_tags = [t for t in [parsed_args.kolla_tags, tags] if t] + if parsed_args.skip_tags or parsed_args.kolla_skip_tags: + all_tags = [t for t in [parsed_args.skip_tags, + parsed_args.kolla_skip_tags] if t] + cmd += ["--skip-tags", ",".join(all_tags)] + if parsed_args.tags or parsed_args.kolla_tags or tags: + all_tags = [t for t in [parsed_args.tags, parsed_args.kolla_tags, + tags] if t] cmd += ["--tags", ",".join(all_tags)] if parsed_args.list_tasks: cmd += ["--list-tasks"] diff --git a/kayobe/tests/unit/test_ansible.py b/kayobe/tests/unit/test_ansible.py index 00600287d..10352dd25 100644 --- a/kayobe/tests/unit/test_ansible.py +++ b/kayobe/tests/unit/test_ansible.py @@ -222,7 +222,7 @@ def test_run_playbooks_all_the_args(self, mock_validate, mock_vars, "--check", "--diff", "--limit", "group1:host", - "--tags", "tag1,tag2", + "--tags", "tag1,tag2,kayobe-generate-config", "playbook1.yml", "playbook2.yml", ] @@ -300,7 +300,7 @@ def test_run_playbooks_all_the_long_args(self, mock_ask, mock_validate, "--diff", "--limit", "group1:host1", "--skip-tags", "tag3,tag4", - "--tags", "tag1,tag2", + "--tags", "tag1,tag2,kayobe-generate-config", "playbook1.yml", "playbook2.yml", ] @@ -450,7 +450,7 @@ def test_run_playbooks_func_args(self, mock_validate, mock_vars, mock_run): "--check", "--diff", "--limit", "group1:host1:&group2:host2", - "--tags", "tag1,tag2,tag3,tag4", + "--tags", "tag1,tag2,tag3,tag4,kayobe-generate-config", "playbook1.yml", "playbook2.yml", ] diff --git a/kayobe/tests/unit/test_kolla_ansible.py b/kayobe/tests/unit/test_kolla_ansible.py index 68ddab221..d74e753b8 100644 --- a/kayobe/tests/unit/test_kolla_ansible.py +++ b/kayobe/tests/unit/test_kolla_ansible.py @@ -61,8 +61,8 @@ def test_run_all_the_args(self, mock_validate, mock_run): "--kolla-config-path", "/path/to/config", "-ke", "ev_name1=ev_value1", "-ki", "/path/to/inventory", - "-kl", "host1:host2", - "-kt", "tag1,tag2", + "-l", "host1:host2", + "-t", "tag1,tag2", "-kp", "/path/to/playbook", ] parsed_args = parser.parse_args(args) @@ -100,9 +100,9 @@ def test_run_all_the_long_args(self, mock_ask, mock_validate, mock_run): "--kolla-config-path", "/path/to/config", "--kolla-extra-vars", "ev_name1=ev_value1", "--kolla-inventory", "/path/to/inventory", - "--kolla-limit", "host1:host2", - "--kolla-skip-tags", "tag3,tag4", - "--kolla-tags", "tag1,tag2", + "--limit", "host1:host2", + "--skip-tags", "tag3,tag4", + "--tags", "tag1,tag2", "--kolla-playbook", "/path/to/playbook", ] parsed_args = parser.parse_args(args) @@ -194,7 +194,7 @@ def test_run_func_args(self, mock_validate, mock_run): vault.add_args(parser) args = [ "--kolla-extra-vars", "ev_name1=ev_value1", - "--kolla-tags", "tag1,tag2", + "--tags", "tag1,tag2", ] parsed_args = parser.parse_args(args) kwargs = { diff --git a/releasenotes/notes/drop-kolla-tags-and-kolla-limits-254faef5584176e1.yaml b/releasenotes/notes/drop-kolla-tags-and-kolla-limits-254faef5584176e1.yaml new file mode 100644 index 000000000..854451fbd --- /dev/null +++ b/releasenotes/notes/drop-kolla-tags-and-kolla-limits-254faef5584176e1.yaml @@ -0,0 +1,22 @@ +--- +features: + - | + Added the tag ``bifrost`` to ``kolla-bifrost.yml`` so that we can easily + limit to Bifrost in ``kayobe seed service deploy``. + - | + Removed the options ``--kolla-tags`` and ``kolla-limit`` from all commands. + Regular ``--tags`` and ``--limit`` will now be passed directly to the + Kolla-Ansible invocations. Added the tag ``kayobe-generate-config`` to + ``kolla-ansible.yml`` and ``kolla-openstack.yml``. This tag is now always + called, to allow for limiting to OpenStack services with just one tag, e.g. + ``kayobe overcloud service deploy -t nova`. You can still skip this with + ``--skip-tags kayobe-generate-config``. +upgrade: + - | + Removed the options ``--kolla-tags`` and ``kolla-limit`` from all commands. + Regular ``--tags`` and ``--limit`` will now be passed directly to the + Kolla-Ansible invocations. Added the tag ``kayobe-generate-config`` to + ``kolla-ansible.yml`` and ``kolla-openstack.yml``. This tag is now always + called, to allow for limiting to OpenStack services with just one tag, e.g. + ``kayobe overcloud service deploy -t nova`. You can still skip this with + ``--skip-tags kayobe-generate-config``. From 20603ff29dc36110991d6164e5cb22d18940d931 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Tue, 17 Mar 2026 18:24:12 +0100 Subject: [PATCH 185/187] CI: Bump ansible-lint to 26.x Change-Id: I5f20b51346eb58d4a5cbf921b5387beb1056b24e Signed-off-by: Pierre Riteau --- test-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test-requirements.txt b/test-requirements.txt index f5270c8d3..0f57abc8e 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -2,7 +2,7 @@ # of appearance. Changing the order has an impact on the overall integration # process, which may cause wedges in the gate later. -ansible-lint>=25.0.0,<26.0.0 # MIT +ansible-lint>=26.0.0,<27.0.0 # MIT bandit>=1.1.0 # Apache-2.0 bashate>=0.2 # Apache-2.0 coverage>=4.0 # Apache-2.0 From b0148ec4214ec3b72e85da6cd0689fe03310a2a0 Mon Sep 17 00:00:00 2001 From: Matt Crees Date: Tue, 3 Mar 2026 11:12:25 +0000 Subject: [PATCH 186/187] Drop backwards compatibility for template trusting With the G cycle, this feature is always supported. Change-Id: I0ccbfd7baa2ae43f06a91f34d8357d91e57317ee Signed-off-by: Matt Crees --- kayobe/plugins/action/kolla_ansible_host_vars.py | 11 +---------- kayobe/plugins/action/merge_configs.py | 10 +--------- kayobe/plugins/action/merge_yaml.py | 10 +--------- 3 files changed, 3 insertions(+), 28 deletions(-) diff --git a/kayobe/plugins/action/kolla_ansible_host_vars.py b/kayobe/plugins/action/kolla_ansible_host_vars.py index d6b620980..085e60004 100644 --- a/kayobe/plugins/action/kolla_ansible_host_vars.py +++ b/kayobe/plugins/action/kolla_ansible_host_vars.py @@ -13,16 +13,7 @@ # under the License. from ansible.plugins.action import ActionBase - -# TODO(dougszu): From Ansible 12 onwards we must explicitly trust templates. -# Since this feature is not supported in previous releases, we define a -# noop method here for backwards compatibility. This can be removed in the -# G cycle. -try: - from ansible.template import trust_as_template -except ImportError: - def trust_as_template(template): - return template +from ansible.template import trust_as_template class ConfigError(Exception): diff --git a/kayobe/plugins/action/merge_configs.py b/kayobe/plugins/action/merge_configs.py index d1c22e25a..605414bfc 100644 --- a/kayobe/plugins/action/merge_configs.py +++ b/kayobe/plugins/action/merge_configs.py @@ -24,15 +24,7 @@ from ansible import constants from ansible.plugins import action -# TODO(dougszu): From Ansible 12 onwards we must explicitly trust templates. -# Since this feature is not supported in previous releases, we define a -# noop method here for backwards compatibility. This can be removed in the -# G cycle. -try: - from ansible.template import trust_as_template -except ImportError: - def trust_as_template(template): - return template +from ansible.template import trust_as_template from io import StringIO diff --git a/kayobe/plugins/action/merge_yaml.py b/kayobe/plugins/action/merge_yaml.py index 41ab5f099..35d250371 100644 --- a/kayobe/plugins/action/merge_yaml.py +++ b/kayobe/plugins/action/merge_yaml.py @@ -27,15 +27,7 @@ from ansible import errors as ansible_errors from ansible.plugins import action -# TODO(dougszu): From Ansible 12 onwards we must explicitly trust templates. -# Since this feature is not supported in previous releases, we define a -# noop method here for backwards compatibility. This can be removed in the -# G cycle. -try: - from ansible.template import trust_as_template -except ImportError: - def trust_as_template(template): - return template +from ansible.template import trust_as_template DOCUMENTATION = ''' --- From fda826297f2659217530b74e2a56036698552422 Mon Sep 17 00:00:00 2001 From: Owen Jones Date: Wed, 25 Mar 2026 13:09:21 +0000 Subject: [PATCH 187/187] Build Rocky based IPA images When `os_distribution` is set to `rocky`, IPA images will now be built using Rocky, rather than CentOS Stream. Original-author: Will Szumski Change-Id: I9fbfaeb1b88e747de1a7c16934d3c46f7cc82d3d Signed-off-by: Owen Jones (Original WIP: https://review.opendev.org/c/openstack/kayobe/+/924498) --- ansible/inventory/group_vars/all/ipa | 21 +++++++++++-------- etc/kayobe/ipa.yml | 9 ++++---- .../build-rocky-ipa-f59e45e6fea6a4c4.yaml | 11 ++++++++++ 3 files changed, 28 insertions(+), 13 deletions(-) create mode 100644 releasenotes/notes/build-rocky-ipa-f59e45e6fea6a4c4.yaml diff --git a/ansible/inventory/group_vars/all/ipa b/ansible/inventory/group_vars/all/ipa index e021de913..d8542b929 100644 --- a/ansible/inventory/group_vars/all/ipa +++ b/ansible/inventory/group_vars/all/ipa @@ -23,16 +23,16 @@ ipa_builder_source_version: "{{ openstack_branch }}" ipa_build_dib_host_packages_extra: [ 'zstd' ] # List of default Diskimage Builder (DIB) elements to use when building IPA -# images. Default is ["centos", "dynamic-login", "enable-serial-console", -# "ironic-python-agent-ramdisk"] when os_distribution is "rocky", and -# ["ubuntu", "dynamic-login", "enable-serial-console", +# images. Default is ["rocky-container", "dynamic-login", +# "enable-serial-console", "ironic-python-agent-ramdisk"] when os_distribution +# is "rocky", and ["ubuntu", "dynamic-login", "enable-serial-console", # "ironic-python-agent-ramdisk"] otherwise. ipa_build_dib_elements_default: - # TODO(mattcrees): Use {{ os_distribution }} here when Rocky IPA builds work. - - "{{ 'centos' if os_distribution == 'rocky' else os_distribution }}" + - "{{ 'rocky-container' if os_distribution == 'rocky' else os_distribution }}" - dynamic-login - enable-serial-console - ironic-python-agent-ramdisk + - baremetal # List of additional Diskimage Builder (DIB) elements to use when building IPA # images. Default is none. @@ -48,8 +48,9 @@ ipa_build_dib_elements: > # Dictionary of default environment variables to provide to Diskimage Builder # (DIB) during IPA image build. ipa_build_dib_env_default: - # TODO(mattcrees): Use {{ os_release }} here when Rocky IPA builds work. - DIB_RELEASE: "{{ '9-stream' if os_distribution == 'rocky' else os_release }}" + DIB_RELEASE: "{{ os_release }}" + DIB_CONTAINERFILE_RUNTIME: "{{ container_engine }}" + DIB_CONTAINERFILE_RUNTIME_ROOT: "{{ (container_engine == 'podman') | int }}" DIB_REPOLOCATION_ironic_python_agent: "{{ ipa_build_source_url }}" DIB_REPOREF_ironic_python_agent: "{{ ipa_build_source_version }}" DIB_REPOREF_requirements: "{{ ipa_build_source_version }}" @@ -84,8 +85,10 @@ ipa_build_dib_git_elements_extra: [] ipa_build_dib_git_elements: >- {{ ipa_build_dib_git_elements_default + ipa_build_dib_git_elements_extra }} -# List of DIB packages to install. Default is empty list. -ipa_build_dib_packages: [] +# List of DIB packages to install. Default is ["python3-yaml"] when +# when os_distribution is "rocky", otherwise []. +ipa_build_dib_packages: >- + {{ ["python3-yaml"] if os_distribution == 'rocky' else [] }} # Upper constraints file for installing packages in the virtual environment # used for building IPA images. Default is {{ pip_upper_constraints_file }}. diff --git a/etc/kayobe/ipa.yml b/etc/kayobe/ipa.yml index b64320685..bfe675d97 100644 --- a/etc/kayobe/ipa.yml +++ b/etc/kayobe/ipa.yml @@ -23,9 +23,9 @@ #ipa_build_dib_host_packages_extra: # List of default Diskimage Builder (DIB) elements to use when building IPA -# images. Default is ["centos", "dynamic-login", "enable-serial-console", -# "ironic-python-agent-ramdisk"] when os_distribution is "rocky", and -# ["ubuntu", "dynamic-login", "enable-serial-console", +# images. Default is ["rocky-container", "dynamic-login", +# "enable-serial-console", "ironic-python-agent-ramdisk"] when os_distribution +# is "rocky", and ["ubuntu", "dynamic-login", "enable-serial-console", # "ironic-python-agent-ramdisk"] otherwise. #ipa_build_dib_elements_default: @@ -64,7 +64,8 @@ # ipa_build_dib_git_elements_default and ipa_build_dib_git_elements_extra. #ipa_build_dib_git_elements: -# List of DIB packages to install. Default is empty list. +# List of DIB packages to install. Default is ["python3-yaml"] when +# when os_distribution is "rocky", otherwise []. #ipa_build_dib_packages: # Upper constraints file for installing packages in the virtual environment diff --git a/releasenotes/notes/build-rocky-ipa-f59e45e6fea6a4c4.yaml b/releasenotes/notes/build-rocky-ipa-f59e45e6fea6a4c4.yaml new file mode 100644 index 000000000..6d165b117 --- /dev/null +++ b/releasenotes/notes/build-rocky-ipa-f59e45e6fea6a4c4.yaml @@ -0,0 +1,11 @@ +--- +upgrade: + - | + Rocky Linux based Ironic Python Agent images are now built in Rocky Linux + based deployments rather than CentOS Stream: + ``ipa_build_dib_elements_default`` uses ``rocky-container`` element; + ``ipa_build_dib_packages`` includes the ``python3-yaml`` package; + ``ipa_build_dib_env_default`` uses specified ``os_release``; + and container runtime is set to ``container_engine``. + - | + ``baremetal`` element now included in ``ipa_build_dib_elements_default``