From ded3c040fa97ad77cd74ccb92f9ddcf2b3c692db Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Wed, 20 Sep 2023 09:14:17 +0100 Subject: [PATCH 01/13] kayobe-env: Unstick KOLLA_SOURCE_PATH and KOLLA_VENV_PATH The kayobe-env script does not update the KOLLA_SOURCE_PATH and KOLLA_VENV_PATH variables if they are already set. This can lead to dangerous and difficult to diagnose issues where Kayobe uses a different version of Kolla Ansible than expected. This change updates these variables each time the kayobe-env script is sourced. Change-Id: I3b4b0b611750b9c7846ff5f74554aee2f14939e4 Closes-Bug: #2036711 (cherry picked from commit 651b8be1a0a2dd38ab46253a0c4a9c7d617cf7bc) --- kayobe-env | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kayobe-env b/kayobe-env index 5137927e5..28b1cccdb 100644 --- a/kayobe-env +++ b/kayobe-env @@ -30,8 +30,8 @@ export KOLLA_CONFIG_PATH=$KAYOBE_CONFIG_ROOT/etc/kolla # kayobe/ # kolla-ansible/ base_path=$(realpath $KAYOBE_CONFIG_ROOT/../../) -export KOLLA_SOURCE_PATH=${KOLLA_SOURCE_PATH:-${base_path}/src/kolla-ansible} -export KOLLA_VENV_PATH=${KOLLA_VENV_PATH:-${base_path}/venvs/kolla-ansible} +export KOLLA_SOURCE_PATH=${base_path}/src/kolla-ansible +export KOLLA_VENV_PATH=${base_path}/venvs/kolla-ansible function check_and_export_env { # Look for existing Kayobe environments From d422259ce1ff8fbc800379fe3be5f5d83052a431 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 8 Dec 2023 12:10:48 +0100 Subject: [PATCH 02/13] Synchronise with kayobe stable/yoga Synchronise with kayobe @ 32b12be953d0c2f60970a95b82d0ebf846d0f86f. Change-Id: Ib4b75c084820f16ce245c1e1c50f10ccb2083537 --- etc/kayobe/bifrost.yml | 3 +++ etc/kayobe/compute.yml | 8 ++++---- etc/kayobe/controllers.yml | 8 ++++---- etc/kayobe/globals.yml | 5 ++--- etc/kayobe/infra-vms.yml | 16 +++++++++------- etc/kayobe/kolla.yml | 22 ++++++++++++++++++---- etc/kayobe/monitoring.yml | 6 +++--- etc/kayobe/seed-hypervisor.yml | 4 ++-- etc/kayobe/seed-vm.yml | 10 ++++++---- etc/kayobe/seed.yml | 12 ++++++++---- etc/kayobe/storage.yml | 8 ++++---- 11 files changed, 63 insertions(+), 39 deletions(-) diff --git a/etc/kayobe/bifrost.yml b/etc/kayobe/bifrost.yml index a9eba19dd..d15d18613 100644 --- a/etc/kayobe/bifrost.yml +++ b/etc/kayobe/bifrost.yml @@ -116,6 +116,9 @@ # Ironic inspector deployment ramdisk location. #kolla_bifrost_inspector_deploy_ramdisk: +# Ironic inspector legacy deployment kernel location. +#kolla_bifrost_inspector_legacy_deploy_kernel: + # Timeout of hardware inspection on overcloud nodes, in seconds. Default is # {{ inspector_inspection_timeout }}. #kolla_bifrost_inspection_timeout: diff --git a/etc/kayobe/compute.yml b/etc/kayobe/compute.yml index b1d8d6562..57286b40c 100644 --- a/etc/kayobe/compute.yml +++ b/etc/kayobe/compute.yml @@ -63,15 +63,15 @@ ############################################################################### # Compute node LVM configuration. -# List of compute volume groups. See mrlesmithjr.manage-lvm role for +# List of compute volume groups. See mrlesmithjr.manage_lvm role for # format. #compute_lvm_groups: -# Default list of compute volume groups. See mrlesmithjr.manage-lvm role for +# Default list of compute volume groups. See mrlesmithjr.manage_lvm role for # format. #compute_lvm_groups_default: -# Additional list of compute volume groups. See mrlesmithjr.manage-lvm role +# Additional list of compute volume groups. See mrlesmithjr.manage_lvm role # for format. #compute_lvm_groups_extra: @@ -82,7 +82,7 @@ # 'docker_storage_driver' is set to 'devicemapper', or false otherwise. #compute_lvm_group_data_enabled: -# Compute LVM volume group for data. See mrlesmithjr.manage-lvm role for +# Compute LVM volume group for data. See mrlesmithjr.manage_lvm role for # format. #compute_lvm_group_data: diff --git a/etc/kayobe/controllers.yml b/etc/kayobe/controllers.yml index 983251c6c..4780ec444 100644 --- a/etc/kayobe/controllers.yml +++ b/etc/kayobe/controllers.yml @@ -72,15 +72,15 @@ ############################################################################### # Controller node LVM configuration. -# List of controller volume groups. See mrlesmithjr.manage-lvm role for +# List of controller volume groups. See mrlesmithjr.manage_lvm role for # format. #controller_lvm_groups: -# Default list of controller volume groups. See mrlesmithjr.manage-lvm role for +# Default list of controller volume groups. See mrlesmithjr.manage_lvm role for # format. #controller_lvm_groups_default: -# Additional list of controller volume groups. See mrlesmithjr.manage-lvm role +# Additional list of controller volume groups. See mrlesmithjr.manage_lvm role # for format. #controller_lvm_groups_extra: @@ -91,7 +91,7 @@ # 'docker_storage_driver' is set to 'devicemapper', or false otherwise. #controller_lvm_group_data_enabled: -# Controller LVM volume group for data. See mrlesmithjr.manage-lvm role for +# Controller LVM volume group for data. See mrlesmithjr.manage_lvm role for # format. #controller_lvm_group_data: diff --git a/etc/kayobe/globals.yml b/etc/kayobe/globals.yml index 16b791548..ecdc5970b 100644 --- a/etc/kayobe/globals.yml +++ b/etc/kayobe/globals.yml @@ -4,8 +4,7 @@ ############################################################################### # Local path configuration (Ansible control host). -# Path to Kayobe configuration directory on Ansible control host, with an -# environment path appended if kayobe_environment is set. +# Path to Kayobe configuration directory on Ansible control host. #kayobe_config_path: # Name of Kayobe environment to use. Default is $KAYOBE_ENVIRONMENT, or an @@ -50,7 +49,7 @@ #os_distribution: # OS release. Valid options are "8-stream" when os_distribution is "centos", or -# "8" when os_distribution is "rocky", or "focal" and "jammy" when +# "8" or "9" when os_distribution is "rocky", or "focal" and "jammy" when # os_distribution is "ubuntu". #os_release: diff --git a/etc/kayobe/infra-vms.yml b/etc/kayobe/infra-vms.yml index a802f5acc..069c0877c 100644 --- a/etc/kayobe/infra-vms.yml +++ b/etc/kayobe/infra-vms.yml @@ -32,10 +32,12 @@ # Base image for the infra VM root volume. Default is # "https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.img" # when os_distribution is "ubuntu", or -# https://dl.rockylinux.org/pub/rocky/8/images/Rocky-8-GenericCloud.latest.x86_64.qcow2 -# when os_distribution is "rocky", +# https://dl.rockylinux.org/pub/rocky/8/images/x86_64/Rocky-8-GenericCloud.latest.x86_64.qcow2 +# when os_distribution is "rocky" and os_release is "8" # or -# "https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-20220913.0.x86_64.qcow2" +# https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2 +# when os_distribution is "rocky" and os_release is "9" +# "https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-latest.x86_64.qcow2" # otherwise. #infra_vm_root_image: @@ -92,15 +94,15 @@ ############################################################################### # Infrastructure VM node LVM configuration. -# List of infrastructure vm volume groups. See mrlesmithjr.manage-lvm role for +# List of infrastructure vm volume groups. See mrlesmithjr.manage_lvm role for # format. #infra_vm_lvm_groups: -# Default list of infrastructure vm volume groups. See mrlesmithjr.manage-lvm +# Default list of infrastructure vm volume groups. See mrlesmithjr.manage_lvm # role for format. #infra_vm_lvm_groups_default: -# Additional list of infrastructure vm volume groups. See mrlesmithjr.manage-lvm +# Additional list of infrastructure vm volume groups. See mrlesmithjr.manage_lvm # role for format. #infra_vm_lvm_groups_extra: @@ -111,7 +113,7 @@ # 'docker_storage_driver' is set to 'devicemapper', or false otherwise. #infra_vm_lvm_group_data_enabled: -# Infrastructure VM LVM volume group for data. See mrlesmithjr.manage-lvm role +# Infrastructure VM LVM volume group for data. See mrlesmithjr.manage_lvm role # for format. #infra_vm_lvm_group_data: diff --git a/etc/kayobe/kolla.yml b/etc/kayobe/kolla.yml index 16714ec39..1734696ea 100644 --- a/etc/kayobe/kolla.yml +++ b/etc/kayobe/kolla.yml @@ -67,8 +67,9 @@ # Kolla configuration. # Kolla base container image distribution. Options are "centos", "debian", -# "ubuntu". Default is -# {{ 'centos' if os_distribution == 'rocky' else os_distribution }}. +# "rocky", "ubuntu". Default is +# {{ 'centos' if (os_distribution == 'rocky' and os_release == '8') else +# os_distribution }}. #kolla_base_distro: # Kolla container image type: binary or source. Default is 'source'. @@ -298,6 +299,7 @@ #kolla_enable_gnocchi: #kolla_enable_gnocchi_statsd: #kolla_enable_grafana: +#kolla_enable_grafana_external: #kolla_enable_hacluster: #kolla_enable_haproxy: #kolla_enable_haproxy_memcached: @@ -337,6 +339,7 @@ #kolla_enable_keystone_federation: #kolla_enable_keystone_horizon_policy_file: #kolla_enable_kibana: +#kolla_enable_kibana_external: #kolla_enable_kuryr: #kolla_enable_loadbalancer: #kolla_enable_magnum: @@ -349,6 +352,8 @@ #kolla_enable_mariabackup: #kolla_enable_mariadb: #kolla_enable_masakari: +#kolla_enable_masakari_hostmonitor: +#kolla_enable_masakari_instancemonitor: #kolla_enable_memcached: #kolla_enable_mistral: #kolla_enable_monasca: @@ -379,6 +384,9 @@ #kolla_enable_nova_ssh: #kolla_enable_octavia: #kolla_enable_octavia_driver_agent: +#kolla_enable_opensearch: +#kolla_enable_opensearch_dashboards: +#kolla_enable_opensearch_dashboards_external: #kolla_enable_openstack_core: #kolla_enable_openvswitch: #kolla_enable_osprofiler: @@ -388,6 +396,7 @@ #kolla_enable_placement: #kolla_enable_prometheus: #kolla_enable_prometheus_alertmanager: +#kolla_enable_prometheus_alertmanager_external: #kolla_enable_prometheus_blackbox_exporter: #kolla_enable_prometheus_cadvisor: #kolla_enable_prometheus_ceph_mgr_exporter: @@ -397,6 +406,7 @@ #kolla_enable_prometheus_haproxy_exporter: #kolla_enable_prometheus_libvirt_exporter: #kolla_enable_prometheus_memcached_exporter: +#kolla_enable_prometheus_msteams: #kolla_enable_prometheus_mysqld_exporter: #kolla_enable_prometheus_node_exporter: #kolla_enable_prometheus_openstack_exporter: @@ -430,6 +440,10 @@ # Kolla passwords file. #kolla_ansible_default_custom_passwords: +# Dictionary containing extra custom passwords to add or override in the Kolla +# passwords file. +#kolla_ansible_extra_custom_passwords: + # Dictionary containing custom passwords to add or override in the Kolla # passwords file. #kolla_ansible_custom_passwords: @@ -469,7 +483,7 @@ # Path to a CA certificate file to use for the OS_CACERT environment variable # in public-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's # default. -#kolla_external_fqdn_cacert: +#kolla_public_openrc_cacert: # Internal API certificate bundle. # @@ -482,7 +496,7 @@ # Path to a CA certificate file to use for the OS_CACERT environment variable # in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's # default. -#kolla_internal_fqdn_cacert: +#kolla_admin_openrc_cacert: ############################################################################### # Proxy configuration diff --git a/etc/kayobe/monitoring.yml b/etc/kayobe/monitoring.yml index f332ab938..5468936d3 100644 --- a/etc/kayobe/monitoring.yml +++ b/etc/kayobe/monitoring.yml @@ -63,15 +63,15 @@ ############################################################################### # Monitoring node LVM configuration. -# List of monitoring node volume groups. See mrlesmithjr.manage-lvm role for +# List of monitoring node volume groups. See mrlesmithjr.manage_lvm role for # format. #monitoring_lvm_groups: -# Default list of monitoring node volume groups. See mrlesmithjr.manage-lvm +# Default list of monitoring node volume groups. See mrlesmithjr.manage_lvm # role for format. #monitoring_lvm_groups_default: -# Additional list of monitoring node volume groups. See mrlesmithjr.manage-lvm +# Additional list of monitoring node volume groups. See mrlesmithjr.manage_lvm # role for format. #monitoring_lvm_groups_extra: diff --git a/etc/kayobe/seed-hypervisor.yml b/etc/kayobe/seed-hypervisor.yml index ac72fcd3d..dd8fbca23 100644 --- a/etc/kayobe/seed-hypervisor.yml +++ b/etc/kayobe/seed-hypervisor.yml @@ -36,7 +36,7 @@ ############################################################################### # Seed hypervisor node LVM configuration. -# List of seed hypervisor volume groups. See mrlesmithjr.manage-lvm role for +# List of seed hypervisor volume groups. See mrlesmithjr.manage_lvm role for # format. Set to "{{ seed_hypervisor_lvm_groups_with_data }}" to create a # volume group for libvirt storage. #seed_hypervisor_lvm_groups: @@ -45,7 +45,7 @@ # default. #seed_hypervisor_lvm_groups_with_data: -# Seed LVM volume group for data. See mrlesmithjr.manage-lvm role for format. +# Seed LVM volume group for data. See mrlesmithjr.manage_lvm role for format. #seed_hypervisor_lvm_group_data: # List of disks for use by seed hypervisor LVM data volume group. Default to an diff --git a/etc/kayobe/seed-vm.yml b/etc/kayobe/seed-vm.yml index 3856d51f2..24122b033 100644 --- a/etc/kayobe/seed-vm.yml +++ b/etc/kayobe/seed-vm.yml @@ -25,11 +25,13 @@ # Base image for the seed VM root volume. Default is # "https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.img" -# when os_distribution is "ubuntu", -# https://dl.rockylinux.org/pub/rocky/8/images/Rocky-8-GenericCloud.latest.x86_64.qcow2 -# when os_distribution is "rocky", +# when os_distribution is "ubuntu", or +# https://dl.rockylinux.org/pub/rocky/8/images/x86_64/Rocky-8-GenericCloud.latest.x86_64.qcow2 +# when os_distribution is "rocky" and os_release is "8" # or -# "https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-20220913.0.x86_64.qcow2" +# https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2 +# when os_distribution is "rocky" and os_release is "9" +# "https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-latest.x86_64.qcow2" # otherwise. #seed_vm_root_image: diff --git a/etc/kayobe/seed.yml b/etc/kayobe/seed.yml index ade99307d..bc86fa627 100644 --- a/etc/kayobe/seed.yml +++ b/etc/kayobe/seed.yml @@ -36,14 +36,14 @@ ############################################################################### # Seed node LVM configuration. -# List of seed volume groups. See mrlesmithjr.manage-lvm role for format. +# List of seed volume groups. See mrlesmithjr.manage_lvm role for format. #seed_lvm_groups: -# Default list of seed volume groups. See mrlesmithjr.manage-lvm role for +# Default list of seed volume groups. See mrlesmithjr.manage_lvm role for # format. #seed_lvm_groups_default: -# Additional list of seed volume groups. See mrlesmithjr.manage-lvm role for +# Additional list of seed volume groups. See mrlesmithjr.manage_lvm role for # format. #seed_lvm_groups_extra: @@ -54,7 +54,7 @@ # 'docker_storage_driver' is set to 'devicemapper', or false otherwise. #seed_lvm_group_data_enabled: -# Seed LVM volume group for data. See mrlesmithjr.manage-lvm role for format. +# Seed LVM volume group for data. See mrlesmithjr.manage_lvm role for format. #seed_lvm_group_data: # List of disks for use by seed LVM data volume group. Default to an invalid @@ -106,6 +106,10 @@ # #seed_containers: +# Whether to attempt a basic authentication login to a registry when +# deploying seed containers +#seed_deploy_containers_registry_attempt_login: + ############################################################################### # Seed node firewalld configuration. diff --git a/etc/kayobe/storage.yml b/etc/kayobe/storage.yml index 535666c95..e9e52dfe6 100644 --- a/etc/kayobe/storage.yml +++ b/etc/kayobe/storage.yml @@ -68,15 +68,15 @@ ############################################################################### # Storage node LVM configuration. -# List of storage volume groups. See mrlesmithjr.manage-lvm role for +# List of storage volume groups. See mrlesmithjr.manage_lvm role for # format. #storage_lvm_groups: -# Default list of storage volume groups. See mrlesmithjr.manage-lvm role for +# Default list of storage volume groups. See mrlesmithjr.manage_lvm role for # format. #storage_lvm_groups_default: -# Additional list of storage volume groups. See mrlesmithjr.manage-lvm role +# Additional list of storage volume groups. See mrlesmithjr.manage_lvm role # for format. #storage_lvm_groups_extra: @@ -87,7 +87,7 @@ # 'docker_storage_driver' is set to 'devicemapper', or false otherwise. #storage_lvm_group_data_enabled: -# Storage LVM volume group for data. See mrlesmithjr.manage-lvm role for +# Storage LVM volume group for data. See mrlesmithjr.manage_lvm role for # format. #storage_lvm_group_data: From ac809cbf077abaae8b5d544155adb03f1e60f3e0 Mon Sep 17 00:00:00 2001 From: Matt Crees Date: Fri, 19 Jan 2024 14:34:55 +0000 Subject: [PATCH 03/13] Skip docker registry login by default, login only when pulp is deployed --- etc/kayobe/containers/pulp/post.yml | 7 +++++++ .../environments/aufn-ceph/a-universe-from-nothing.sh | 2 +- etc/kayobe/seed.yml | 4 ++++ 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/etc/kayobe/containers/pulp/post.yml b/etc/kayobe/containers/pulp/post.yml index fec1abb94..967c4e37d 100644 --- a/etc/kayobe/containers/pulp/post.yml +++ b/etc/kayobe/containers/pulp/post.yml @@ -27,3 +27,10 @@ when: - stackhpc_pulp_sync_for_local_container_build | bool - pulp_settings.changed + +- name: Login to docker registry + docker_login: + registry_url: "{{ kolla_docker_registry or omit }}" + username: "{{ kolla_docker_registry_username }}" + password: "{{ kolla_docker_registry_password }}" + reauthorize: yes diff --git a/etc/kayobe/environments/aufn-ceph/a-universe-from-nothing.sh b/etc/kayobe/environments/aufn-ceph/a-universe-from-nothing.sh index 1464e6127..03cd23439 100755 --- a/etc/kayobe/environments/aufn-ceph/a-universe-from-nothing.sh +++ b/etc/kayobe/environments/aufn-ceph/a-universe-from-nothing.sh @@ -87,7 +87,7 @@ kayobe seed vm provision kayobe seed host configure # Deploy local pulp server as a container on the seed VM -kayobe seed service deploy --tags seed-deploy-containers --kolla-tags none -e deploy_containers_registry_attempt_login=False +kayobe seed service deploy --tags seed-deploy-containers --kolla-tags # Deploying the seed restarts networking interface, run configure-local-networking.sh again to re-add routes. $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/configure-local-networking.sh diff --git a/etc/kayobe/seed.yml b/etc/kayobe/seed.yml index 96fa86ac0..524f6cff4 100644 --- a/etc/kayobe/seed.yml +++ b/etc/kayobe/seed.yml @@ -152,6 +152,10 @@ seed_containers: >- seed_extra_containers: {} +# Whether to attempt a basic authentication login to a registry when +# deploying seed containers +seed_deploy_containers_registry_attempt_login: "{{ not seed_pulp_container_enabled | bool }}" + ############################################################################### # Seed node firewalld configuration. From f70698b01429c7f13d1bca0b70f61bebad29f2c0 Mon Sep 17 00:00:00 2001 From: OpenStack Release Bot Date: Mon, 5 Feb 2024 16:06:31 +0000 Subject: [PATCH 04/13] Update .gitreview for unmaintained/yoga Change-Id: Ibd47c684580d35f58b0b715eab2e5110d17bb69a --- .gitreview | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitreview b/.gitreview index 9c0b64bdf..fa721c64d 100644 --- a/.gitreview +++ b/.gitreview @@ -2,4 +2,4 @@ host=review.opendev.org port=29418 project=openstack/kayobe-config.git -defaultbranch=stable/yoga +defaultbranch=unmaintained/yoga From 100f544225fdbe48802f77de569d7d127cb865f4 Mon Sep 17 00:00:00 2001 From: Alex-Welsh Date: Tue, 5 Mar 2024 15:35:03 +0000 Subject: [PATCH 05/13] Fix libvirt error for tenks on Rocky Linux 9 --- etc/kayobe/environments/aufn-ceph/tenks.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/etc/kayobe/environments/aufn-ceph/tenks.yml b/etc/kayobe/environments/aufn-ceph/tenks.yml index 9b0e9e9f4..25eac0374 100644 --- a/etc/kayobe/environments/aufn-ceph/tenks.yml +++ b/etc/kayobe/environments/aufn-ceph/tenks.yml @@ -87,3 +87,9 @@ bridge_type: linuxbridge # No placement service. wait_for_placement: false + +# NOTE(priteau): Disable libvirt_vm_trust_guest_rx_filters, which when enabled +# triggers the following errors when booting baremetal instances with Tenks on +# Libvirt 9: Cannot set interface flags on 'macvtap1': Value too large for +# defined data type +libvirt_vm_trust_guest_rx_filters: false From 4a20e1149ccb0cea2d7a50f73bb5db2eb2afd441 Mon Sep 17 00:00:00 2001 From: Matt Crees Date: Wed, 6 Mar 2024 09:26:40 +0000 Subject: [PATCH 06/13] Update etc/kayobe/environments/aufn-ceph/a-universe-from-nothing.sh --- etc/kayobe/environments/aufn-ceph/a-universe-from-nothing.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/kayobe/environments/aufn-ceph/a-universe-from-nothing.sh b/etc/kayobe/environments/aufn-ceph/a-universe-from-nothing.sh index 03cd23439..e594ea388 100755 --- a/etc/kayobe/environments/aufn-ceph/a-universe-from-nothing.sh +++ b/etc/kayobe/environments/aufn-ceph/a-universe-from-nothing.sh @@ -87,7 +87,7 @@ kayobe seed vm provision kayobe seed host configure # Deploy local pulp server as a container on the seed VM -kayobe seed service deploy --tags seed-deploy-containers --kolla-tags +kayobe seed service deploy --tags seed-deploy-containers --kolla-tags none # Deploying the seed restarts networking interface, run configure-local-networking.sh again to re-add routes. $KAYOBE_CONFIG_PATH/environments/$KAYOBE_ENVIRONMENT/configure-local-networking.sh From be1b504c68feee30019e73b7f705cb3d1203afe3 Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Wed, 6 Mar 2024 11:35:14 +0100 Subject: [PATCH 07/13] Switch ansible-modules-hashivault back to upstream 5.2.1 version was released with shebang fix [1]. [1]: TerryHowe/ansible-modules-hashivault@f1d30f1 --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 2089c4b3f..ba1a14f12 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ kayobe@git+https://github.com/stackhpc/kayobe@stackhpc/yoga ansible-modules-hashivault@git+https://github.com/stackhpc/ansible-modules-hashivault@stackhpc;python_version < "3.8" -ansible-modules-hashivault@git+https://github.com/stackhpc/ansible-modules-hashivault@stackhpc-py39;python_version >= "3.8" +ansible-modules-hashivault>=5.2.1;python_version >= "3.8" jmespath From fcfff10a8605bdedd8980a7dc7add7ad0be36c3f Mon Sep 17 00:00:00 2001 From: John Garbutt Date: Fri, 8 Mar 2024 14:16:45 +0000 Subject: [PATCH 08/13] Add Trivy image scanning (#436) Trivy scanning on container image build --------- Co-authored-by: k-s-dean Co-authored-by: Matt Anson Co-authored-by: Alex-Welsh --- .../stackhpc-container-image-build.yml | 131 ++++++++++++++---- etc/kayobe/ansible/docker-registry-login.yml | 11 ++ ...ainer-image-scanning-e5adf2c6b540b502.yaml | 6 + tools/scan-images.sh | 79 +++++++++++ 4 files changed, 201 insertions(+), 26 deletions(-) create mode 100644 etc/kayobe/ansible/docker-registry-login.yml create mode 100644 releasenotes/notes/container-image-scanning-e5adf2c6b540b502.yaml create mode 100755 tools/scan-images.sh diff --git a/.github/workflows/stackhpc-container-image-build.yml b/.github/workflows/stackhpc-container-image-build.yml index b8afea93e..ad3097d0a 100644 --- a/.github/workflows/stackhpc-container-image-build.yml +++ b/.github/workflows/stackhpc-container-image-build.yml @@ -38,6 +38,12 @@ on: type: boolean required: false default: true + push-dirty: + description: Push scanned images that have vulnerabilities? + type: boolean + required: false + # NOTE(Alex-Welsh): This default should be flipped once we resolve existing failures + default: true env: ANSIBLE_FORCE_COLOR: True @@ -109,7 +115,15 @@ jobs: - name: Install package dependencies run: | sudo apt update - sudo apt install -y build-essential git unzip nodejs python3-wheel python3-pip python3-venv + sudo apt install -y build-essential git unzip nodejs python3-wheel python3-pip python3-venv curl jq wget + + - name: Install gh + run: | + sudo mkdir -p -m 755 /etc/apt/keyrings && wget -qO- https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null + sudo chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg + echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null + sudo apt update + sudo apt install gh -y - name: Checkout uses: actions/checkout@v4 @@ -127,6 +141,10 @@ jobs: run: | docker ps + - name: Install Trivy + run: | + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.49.0 + - name: Install Kayobe run: | mkdir -p venvs && @@ -162,65 +180,124 @@ jobs: env: KAYOBE_VAULT_PASSWORD: ${{ secrets.KAYOBE_VAULT_PASSWORD }} - - name: Build and push kolla overcloud images + - name: Create build logs output directory + run: mkdir image-build-logs + + - name: Build kolla overcloud images + id: build_overcloud_images + continue-on-error: true run: | - args="${{ github.event.inputs.regexes }}" + args="${{ inputs.regexes }}" args="$args -e kolla_base_distro=${{ matrix.distro }}" args="$args -e kolla_tag=${{ needs.generate-tag.outputs.kolla_tag }}" args="$args -e stackhpc_repo_mirror_auth_proxy_enabled=true" - if ${{ inputs.push }} == 'true'; then - args="$args --push" - fi source venvs/kayobe/bin/activate && source src/kayobe-config/kayobe-env --environment ci-builder && kayobe overcloud container image build $args env: KAYOBE_VAULT_PASSWORD: ${{ secrets.KAYOBE_VAULT_PASSWORD }} - if: github.event.inputs.overcloud == 'true' + if: inputs.overcloud + + - name: Copy overcloud container image build logs to output directory + run: sudo mv /var/log/kolla-build.log image-build-logs/kolla-build-overcloud.log + if: inputs.overcloud - - name: Build and push kolla seed images + - name: Build kolla seed images + id: build_seed_images + continue-on-error: true run: | args="-e kolla_base_distro=${{ matrix.distro }}" args="$args -e kolla_tag=${{ needs.generate-tag.outputs.kolla_tag }}" args="$args -e stackhpc_repo_mirror_auth_proxy_enabled=true" - if ${{ inputs.push }} == 'true'; then - args="$args --push" - fi source venvs/kayobe/bin/activate && source src/kayobe-config/kayobe-env --environment ci-builder && kayobe seed container image build $args env: KAYOBE_VAULT_PASSWORD: ${{ secrets.KAYOBE_VAULT_PASSWORD }} - if: github.event.inputs.seed == 'true' + if: inputs.seed + + - name: Copy seed container image build logs to output directory + run: sudo mv /var/log/kolla-build.log image-build-logs/kolla-build-seed.log + if: inputs.seed - name: Get built container images - run: | - docker image ls --filter "reference=ark.stackhpc.com/stackhpc-dev/${{ matrix.distro }}-*:${{ needs.generate-tag.outputs.kolla_tag }}" > ${{ matrix.distro }}-container-images + run: docker image ls --filter "reference=ark.stackhpc.com/stackhpc-dev/${{ matrix.distro }}-*:${{ needs.generate-tag.outputs.kolla_tag }}" > ${{ matrix.distro }}-container-images - name: Fail if no images have been built run: if [ $(wc -l < ${{ matrix.distro }}-container-images) -le 1 ]; then exit 1; fi - - name: Upload container images artifact + - name: Scan built container images + run: src/kayobe-config/tools/scan-images.sh ${{ matrix.distro }} ${{ needs.generate-tag.outputs.kolla_tag }} + + - name: Move image scan logs to output artifact + run: mv image-scan-output image-build-logs/image-scan-output + + - name: Fail if no images have passed scanning + run: if [ $(wc -l < image-build-logs/image-scan-output/clean-images.txt) -le 0 ]; then exit 1; fi + if: ${{ !inputs.push-dirty }} + + - name: Copy clean images to push-attempt-images list + run: cp image-build-logs/image-scan-output/clean-images.txt image-build-logs/push-attempt-images.txt + if: inputs.push + + - name: Append dirty images to push list + run: | + cat image-build-logs/image-scan-output/dirty-images.txt >> image-build-logs/push-attempt-images.txt + if: ${{ inputs.push && inputs.push-dirty }} + + - name: Push images + run: | + touch image-build-logs/push-failed-images.txt + source venvs/kayobe/bin/activate && + source src/kayobe-config/kayobe-env --environment ci-builder && + kayobe playbook run ${KAYOBE_CONFIG_PATH}/ansible/docker-registry-login.yml && + + while read -r image; do + # Retries! + for i in {1..5}; do + if docker push $image; then + echo "Pushed $image" + break + elif $i == 5; then + echo "Failed to push $image" + echo $image >> image-build-logs/push-failed-images.txt + else + echo "Failed on retry $i" + sleep 5 + fi; + done + done < image-build-logs/push-attempt-images.txt + shell: bash + env: + KAYOBE_VAULT_PASSWORD: ${{ secrets.KAYOBE_VAULT_PASSWORD }} + if: inputs.push + + - name: Upload output artifact uses: actions/upload-artifact@v4 with: - name: ${{ matrix.distro }} container images - path: ${{ matrix.distro }}-container-images + name: ${{ matrix.distro }}-logs + path: image-build-logs retention-days: 7 + if: ${{ !cancelled() }} + + - name: Fail when images failed to build + run: echo "An image build failed. Check the workflow artifact for build logs" && exit 1 + if: ${{ steps.build_overcloud_images.outcome == 'failure' || steps.build_seed_images.outcome == 'failure' }} + + - name: Fail when images failed to push + run: if [ $(wc -l < image-build-logs/push-failed-images.txt) -gt 0 ]; then cat image-build-logs/push-failed-images.txt && exit 1; fi + if: ${{ !cancelled() }} + + - name: Fail when images failed scanning + run: if [ $(wc -l < image-build-logs/dirty-images.txt) -gt 0 ]; then cat image-build-logs/dirty-images.txt && exit 1; fi + if: ${{ !inputs.push-dirty && !cancelled() }} - sync-container-repositories: - name: Trigger container image repository sync - needs: - - container-image-build - if: github.repository == 'stackhpc/stackhpc-kayobe-config' && inputs.push - runs-on: ubuntu-latest - permissions: {} - steps: # NOTE(mgoddard): Trigger another CI workflow in the # stackhpc-release-train repository. - name: Trigger container image repository sync run: | filter='${{ inputs.regexes }}' - if [[ -n $filter ]] && [[ ${{ github.event.inputs.seed }} == 'true' ]]; then + if [[ -n $filter ]] && [[ ${{ inputs.seed }} == 'true' ]]; then filter="$filter bifrost" fi gh workflow run \ @@ -231,7 +308,9 @@ jobs: -f sync-new-images=false env: GITHUB_TOKEN: ${{ secrets.STACKHPC_RELEASE_TRAIN_TOKEN }} + if: ${{ github.repository == 'stackhpc/stackhpc-kayobe-config' && inputs.push && !cancelled() }} - name: Display link to container image repository sync workflows run: | echo "::notice Container image repository sync workflows: https://github.com/stackhpc/stackhpc-release-train/actions/workflows/container-sync.yml" + if: ${{ github.repository == 'stackhpc/stackhpc-kayobe-config' && inputs.push && !cancelled() }} diff --git a/etc/kayobe/ansible/docker-registry-login.yml b/etc/kayobe/ansible/docker-registry-login.yml new file mode 100644 index 000000000..39ad03600 --- /dev/null +++ b/etc/kayobe/ansible/docker-registry-login.yml @@ -0,0 +1,11 @@ +--- +- name: Login to docker registry + gather_facts: false + hosts: container-image-builders + tasks: + - name: Login to docker registry + docker_login: + registry_url: "{{ kolla_docker_registry or omit }}" + username: "{{ kolla_docker_registry_username }}" + password: "{{ kolla_docker_registry_password }}" + reauthorize: yes diff --git a/releasenotes/notes/container-image-scanning-e5adf2c6b540b502.yaml b/releasenotes/notes/container-image-scanning-e5adf2c6b540b502.yaml new file mode 100644 index 000000000..67a99f9c2 --- /dev/null +++ b/releasenotes/notes/container-image-scanning-e5adf2c6b540b502.yaml @@ -0,0 +1,6 @@ +--- +security: + - | + Kolla container images created using the + ``stackhpc-container-image-build.yml`` workflow are now automatically + scanned for vulnerablilities. diff --git a/tools/scan-images.sh b/tools/scan-images.sh new file mode 100755 index 000000000..50a04185a --- /dev/null +++ b/tools/scan-images.sh @@ -0,0 +1,79 @@ +#!/usr/bin/env bash +set -eo pipefail + +# Check correct usage +if [[ ! $2 ]]; then + echo "Usage: scan-images.sh " + exit 2 +fi + +set -u + +# Check that trivy is installed +if ! trivy --version; then + echo 'Please install trivy: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.49.1' +fi + +# Clear any previous outputs +rm -rf image-scan-output + +# Make a fresh output directory +mkdir -p image-scan-output + +# Get built container images +docker image ls --filter "reference=ark.stackhpc.com/stackhpc-dev/$1-*:$2" > $1-scanned-container-images.txt + +# Make a file of imagename:tag +images=$(grep --invert-match --no-filename ^REPOSITORY $1-scanned-container-images.txt | sed 's/ \+/:/g' | cut -f 1,2 -d:) + +# Ensure output files exist +touch image-scan-output/clean-images.txt image-scan-output/dirty-images.txt + +# If Trivy detects no vulnerabilities, add the image name to clean-images.txt. +# If there are vulnerabilities detected, add it to dirty-images.txt and +# generate a csv summary +for image in $images; do + filename=$(basename $image | sed 's/:/\./g') + if $(trivy image \ + --quiet \ + --exit-code 1 \ + --scanners vuln \ + --format json \ + --severity HIGH,CRITICAL \ + --output image-scan-output/${filename}.json \ + --ignore-unfixed \ + $image); then + # Clean up the output file for any images with no vulnerabilities + rm -f image-scan-output/${filename}.json + + # Add the image to the clean list + echo "${image}" >> image-scan-output/clean-images.txt + else + # Add the image to the dirty list + echo "${image}" >> image-scan-output/dirty-images.txt + + # Write a header for the summary CSV + echo '"PkgName","PkgPath","PkgID","VulnerabilityID","FixedVersion","PrimaryURL","Severity"' > image-scan-output/${filename}.summary.csv + + # Write the summary CSV data + jq -r '.Results[] + | select(.Vulnerabilities) + | .Vulnerabilities + # Ignore packages with "kernel" in the PkgName + | map(select(.PkgName | test("kernel") | not )) + | group_by(.VulnerabilityID) + | map( + [ + (map(.PkgName) | unique | join(";")), + (map(.PkgPath | select( . != null )) | join(";")), + .[0].PkgID, + .[0].VulnerabilityID, + .[0].FixedVersion, + .[0].PrimaryURL, + .[0].Severity + ] + ) + | .[] + | @csv' image-scan-output/${filename}.json >> image-scan-output/${filename}.summary.csv + fi +done From 2ae28e016a8b2c3614feb6728d3795b95ae1481e Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 8 Mar 2024 21:31:35 +0100 Subject: [PATCH 09/13] Fix Ceph "Objects in the Cluster" dashboard panel The `ceph_cluster_total_objects` metric was removed several releases ago [1]. Use `ceph_pool_objects` which provides per-pool metrics. [1] https://github.com/ceph/ceph-ansible/issues/6032 --- .../grafana/dashboards/ceph/ceph_overview.json | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/etc/kayobe/kolla/config/grafana/dashboards/ceph/ceph_overview.json b/etc/kayobe/kolla/config/grafana/dashboards/ceph/ceph_overview.json index e041d8ff0..e5258168a 100644 --- a/etc/kayobe/kolla/config/grafana/dashboards/ceph/ceph_overview.json +++ b/etc/kayobe/kolla/config/grafana/dashboards/ceph/ceph_overview.json @@ -1924,23 +1924,25 @@ } ], "spaceLength": 10, - "stack": true, + "stack": false, "steppedLine": false, "targets": [ { - "expr": "ceph_cluster_total_objects", + "datasource": { + "uid": "$datasource" + }, + "expr": "ceph_pool_objects * on(pool_id) group_left(instance,name) ceph_pool_metadata", "format": "time_series", "interval": "$interval", "intervalFactor": 1, - "legendFormat": "Total", + "legendFormat": "{{name}}", + "range": true, "refId": "A", "step": 300 } ], "thresholds": [], - "timeFrom": null, "timeRegions": [], - "timeShift": null, "title": "Objects in the Cluster", "tooltip": { "msResolution": false, From 1e33f3da156ce7e1c2e586abccc8e4fe7555f235 Mon Sep 17 00:00:00 2001 From: Alex-Welsh Date: Mon, 11 Mar 2024 09:11:06 +0000 Subject: [PATCH 10/13] Fix tempest doc long line --- doc/source/operations/tempest.rst | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/doc/source/operations/tempest.rst b/doc/source/operations/tempest.rst index 82135adf9..b3fa2b5a8 100644 --- a/doc/source/operations/tempest.rst +++ b/doc/source/operations/tempest.rst @@ -277,7 +277,10 @@ command from the base of the ``kayobe-config`` directory: .. code-block:: bash - sudo -E docker run --detach -it --rm --network host -v $(pwd):/stack/kayobe-automation-env/src/kayobe-config -v $(pwd)/tempest-artifacts:/stack/tempest-artifacts -e KAYOBE_ENVIRONMENT -e KAYOBE_VAULT_PASSWORD -e KAYOBE_AUTOMATION_SSH_PRIVATE_KEY kayobe:latest /stack/kayobe-automation-env/src/kayobe-config/.automation/pipeline/tempest.sh -e ansible_user=stack + sudo -E docker run --name kayobe-automation --detach -it --rm --network host \ + -v $(pwd):/stack/kayobe-automation-env/src/kayobe-config -v $(pwd)/tempest-artifacts:/stack/tempest-artifacts \ + -e KAYOBE_ENVIRONMENT -e KAYOBE_VAULT_PASSWORD -e KAYOBE_AUTOMATION_SSH_PRIVATE_KEY kayobe:latest \ + /stack/kayobe-automation-env/src/kayobe-config/.automation/pipeline/tempest.sh -e ansible_user=stack By default, ``no_log`` is set to stop credentials from leaking. This can be disabled by adding ``-e rally_no_sensitive_log=false`` to the end. From e989f4ffb1b38bc491ed605c88f9ae8aa6a6b40f Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Mon, 11 Mar 2024 09:44:36 +0000 Subject: [PATCH 11/13] CI: Support unmaintained branches in release determination --- .github/workflows/overcloud-host-image-build.yml | 2 +- .github/workflows/overcloud-host-image-promote.yml | 2 +- .github/workflows/overcloud-host-image-upload.yml | 2 +- .github/workflows/stackhpc-ci-cleanup.yml | 2 +- .github/workflows/stackhpc-container-image-build.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/overcloud-host-image-build.yml b/.github/workflows/overcloud-host-image-build.yml index cbccca23e..4c338cda3 100644 --- a/.github/workflows/overcloud-host-image-build.yml +++ b/.github/workflows/overcloud-host-image-build.yml @@ -50,7 +50,7 @@ jobs: id: openstack_release run: | BRANCH=$(awk -F'=' '/defaultbranch/ {print $2}' .gitreview) - echo "openstack_release=${BRANCH}" | sed "s|stable/||" >> $GITHUB_OUTPUT + echo "openstack_release=${BRANCH}" | sed -E "s,(stable|unmaintained)/,," >> $GITHUB_OUTPUT # Generate a tag to apply to all built overcloud host images. - name: Generate overcloud host image tag diff --git a/.github/workflows/overcloud-host-image-promote.yml b/.github/workflows/overcloud-host-image-promote.yml index 1bd777c8c..d5625f888 100644 --- a/.github/workflows/overcloud-host-image-promote.yml +++ b/.github/workflows/overcloud-host-image-promote.yml @@ -43,7 +43,7 @@ jobs: id: openstack_release run: | BRANCH=$(awk -F'=' '/defaultbranch/ {print $2}' .gitreview) - echo "openstack_release=${BRANCH}" | sed "s|stable/||" >> $GITHUB_OUTPUT + echo "openstack_release=${BRANCH}" | sed -E "s,(stable|unmaintained)/,," >> $GITHUB_OUTPUT working-directory: src/kayobe-config - name: Clone StackHPC Kayobe repository diff --git a/.github/workflows/overcloud-host-image-upload.yml b/.github/workflows/overcloud-host-image-upload.yml index 633f423b5..e95531564 100644 --- a/.github/workflows/overcloud-host-image-upload.yml +++ b/.github/workflows/overcloud-host-image-upload.yml @@ -59,7 +59,7 @@ jobs: id: openstack_release run: | BRANCH=$(awk -F'=' '/defaultbranch/ {print $2}' src/kayobe-config/.gitreview) - echo "openstack_release=${BRANCH}" | sed "s|stable/||" >> $GITHUB_OUTPUT + echo "openstack_release=${BRANCH}" | sed -E "s,(stable|unmaintained)/,," >> $GITHUB_OUTPUT - name: Clone StackHPC Kayobe repository uses: actions/checkout@v4 diff --git a/.github/workflows/stackhpc-ci-cleanup.yml b/.github/workflows/stackhpc-ci-cleanup.yml index d0da0c051..a769aa718 100644 --- a/.github/workflows/stackhpc-ci-cleanup.yml +++ b/.github/workflows/stackhpc-ci-cleanup.yml @@ -30,7 +30,7 @@ jobs: id: openstack_release run: | BRANCH=$(awk -F'=' '/defaultbranch/ {print $2}' src/kayobe-config/.gitreview) - echo "openstack_release=${BRANCH}" | sed "s|stable/||" >> $GITHUB_OUTPUT + echo "openstack_release=${BRANCH}" | sed -E "s,(stable|unmaintained)/,," >> $GITHUB_OUTPUT - name: Install OpenStack client run: | diff --git a/.github/workflows/stackhpc-container-image-build.yml b/.github/workflows/stackhpc-container-image-build.yml index b8afea93e..e41beb3c3 100644 --- a/.github/workflows/stackhpc-container-image-build.yml +++ b/.github/workflows/stackhpc-container-image-build.yml @@ -59,7 +59,7 @@ jobs: id: openstack_release run: | BRANCH=$(awk -F'=' '/defaultbranch/ {print $2}' .gitreview) - echo "openstack_release=${BRANCH}" | sed "s|stable/||" >> $GITHUB_OUTPUT + echo "openstack_release=${BRANCH}" | sed -E "s,(stable|unmaintained)/,," >> $GITHUB_OUTPUT # Generate a tag to apply to all built container images. # Without this, each kayobe * container image build command would use a different tag. From 5e0dc70ae9c3b8a57611faec19630131df303232 Mon Sep 17 00:00:00 2001 From: Matt Crees Date: Tue, 12 Mar 2024 14:33:36 +0000 Subject: [PATCH 12/13] Fix Jinja templating in Barbican Vault config The raw tags cause ``ssl_ca_crt_file`` to be templated without a newline on the end. This would give the following misconfiguration: ``` use_ssl = True ssl_ca_crt_file = approle_role_id = approle_secret_id = ``` --- doc/source/configuration/vault.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/doc/source/configuration/vault.rst b/doc/source/configuration/vault.rst index 62bdaf24a..4cb39b61b 100644 --- a/doc/source/configuration/vault.rst +++ b/doc/source/configuration/vault.rst @@ -296,7 +296,9 @@ Configure Barbican [vault_plugin] vault_url = https://{{ kolla_internal_vip_address }}:8200 use_ssl = True - ssl_ca_crt_file = {% raw %}{{ openstack_cacert }}{% endraw %} + {% raw %} + ssl_ca_crt_file = {{ openstack_cacert }} + {% endraw %} approle_role_id = {{ secrets_barbican_approle_role_id }} approle_secret_id = {{ secrets_barbican_approle_secret_id }} kv_mountpoint = barbican From d2ed09e11fc58ee3658c53cf983075a72d334bb2 Mon Sep 17 00:00:00 2001 From: Alex-Welsh Date: Mon, 18 Mar 2024 10:40:11 +0000 Subject: [PATCH 13/13] Run OVN playbook without limit during upgrade --- .../ansible/ovn-fix-chassis-priorities.yml | 31 ++++++++++--------- etc/kayobe/ansible/ubuntu-upgrade.yml | 4 --- tools/ubuntu-upgrade-overcloud.sh | 2 ++ 3 files changed, 19 insertions(+), 18 deletions(-) diff --git a/etc/kayobe/ansible/ovn-fix-chassis-priorities.yml b/etc/kayobe/ansible/ovn-fix-chassis-priorities.yml index 36566b6a3..9ba469ce7 100644 --- a/etc/kayobe/ansible/ovn-fix-chassis-priorities.yml +++ b/etc/kayobe/ansible/ovn-fix-chassis-priorities.yml @@ -21,22 +21,25 @@ - name: Find OVN DB DB Leader hosts: "{{ ovn_nb_db_group | default('controllers') }}" tasks: - - name: Find the OVN NB DB leader - ansible.builtin.command: docker exec ovn_nb_db ovn-nbctl get-connection - changed_when: false - failed_when: false - register: ovn_check_result - check_mode: false + - name: Find OVN DB Leader + when: kolla_enable_ovn | bool + block: + - name: Find the OVN NB DB leader + ansible.builtin.command: docker exec ovn_nb_db ovn-nbctl get-connection + changed_when: false + failed_when: false + register: ovn_check_result + check_mode: false - - name: Group hosts by leader/follower role - ansible.builtin.group_by: - key: "ovn_nb_{{ 'leader' if ovn_check_result.rc == 0 else 'follower' }}" - changed_when: false + - name: Group hosts by leader/follower role + ansible.builtin.group_by: + key: "ovn_nb_{{ 'leader' if ovn_check_result.rc == 0 else 'follower' }}" + changed_when: false - - name: Assert one leader exists - ansible.builtin.assert: - that: - - groups['ovn_nb_leader'] | default([]) | length == 1 + - name: Assert one leader exists + ansible.builtin.assert: + that: + - groups['ovn_nb_leader'] | default([]) | length == 1 - name: Fix OVN chassis priorities hosts: ovn_nb_leader diff --git a/etc/kayobe/ansible/ubuntu-upgrade.yml b/etc/kayobe/ansible/ubuntu-upgrade.yml index 3b477731c..928e1c52d 100644 --- a/etc/kayobe/ansible/ubuntu-upgrade.yml +++ b/etc/kayobe/ansible/ubuntu-upgrade.yml @@ -104,7 +104,3 @@ that: - ansible_facts.distribution_major_version == '22' - ansible_facts.distribution_release == 'jammy' - -- name: Run the OVN chassis priority fix playbook - import_playbook: "{{ lookup('ansible.builtin.env', 'KAYOBE_CONFIG_PATH') }}/ansible/ovn-fix-chassis-priorities.yml" - when: kolla_enable_ovn diff --git a/tools/ubuntu-upgrade-overcloud.sh b/tools/ubuntu-upgrade-overcloud.sh index 3e351d6d6..50959c263 100755 --- a/tools/ubuntu-upgrade-overcloud.sh +++ b/tools/ubuntu-upgrade-overcloud.sh @@ -31,4 +31,6 @@ set -x kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/ubuntu-upgrade.yml -e os_release=jammy --limit $1 +kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/ovn-fix-chassis-priorities.yml + kayobe overcloud host configure --limit $1 --kolla-limit $1 -e os_release=jammy