Merge remote-tracking branch 'origin/stackhpc/yoga' into sync-stackhp…

…c-yoga

ansible/docker-devicemapper.yml

@@ -5,6 +5,18 @@
     - docker
     - docker-devicemapper
   tasks:
+    - name: Warn about deprecation of devicemapper Docker storage driver
+      fail:
+        msg: >
+          Support for using the devicemapper Docker storage driver is
+          deprecated in Kayobe and will be removed in the Caracal 16.0.0
+          release. To keep using devicemapper in the current release, ensure
+          that the version of Docker Engine installed is below 25.0.0.
+      # NOTE(priteau): We want this to print a nice big red warning and not to
+      # fail the run.
+      ignore_errors: yes
+      when: docker_storage_driver == 'devicemapper'
+
     - name: Check for existing Docker configuration using devicemapper
       block:
       - name: Query Docker daemon for storage driver

ansible/group_vars/all/apt

@@ -45,3 +45,12 @@ apt_repositories: []
 # when replacing the distribution repositories via apt_repositories.
 # Default is false.
 apt_disable_sources_list: false
+
+# List of Apt auth configurations. Each item is a dict with the following keys:
+# * machine: 'machine' entry in the auth file
+# * login: 'login' entry in the auth file
+# * password: 'password' entry in the auth file
+# * filename: Name of a file in /etc/apt/auth.conf.d in which to store
+#   the auth configuration. The extension should be ``.conf``.
+# Default is an empty list.
+apt_auth: []

ansible/group_vars/all/bifrost

@@ -99,7 +99,7 @@ kolla_bifrost_inspector_port_addition: "{{ inspector_add_ports }}"
 kolla_bifrost_inspector_extra_kernel_options: "{{ inspector_extra_kernel_options }}"
 
 # List of introspection rules for Bifrost's Ironic Inspector service.
-kolla_bifrost_inspector_rules: "{{ inspector_rules }}"
+kolla_bifrost_inspector_rules: "{{ inspector_rules + [inspector_rule_legacy_deploy_kernel] }}"
 
 # Ironic inspector IPMI username to set.
 kolla_bifrost_inspector_ipmi_username: "{{ ipmi_username }}"
@@ -117,6 +117,9 @@ kolla_bifrost_inspector_deploy_kernel: "http://{{ provision_oc_net_name | net_ip
 # Ironic inspector deployment ramdisk location.
 kolla_bifrost_inspector_deploy_ramdisk: "http://{{ provision_oc_net_name | net_ip }}:8080/ipa.initramfs"
 
+# Ironic inspector legacy deployment kernel location.
+kolla_bifrost_inspector_legacy_deploy_kernel: "http://{{ provision_oc_net_name | net_ip }}:8080/ipa.vmlinuz"
+
 # Timeout of hardware inspection on overcloud nodes, in seconds. Default is
 # {{ inspector_inspection_timeout }}.
 kolla_bifrost_inspection_timeout: "{{ inspector_inspection_timeout }}"

ansible/group_vars/all/infra-vms

@@ -48,7 +48,7 @@ infra_vm_root_format: qcow2
 # or
 # https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2
 # when os_distribution is "rocky" and os_release is "9"
-# "https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-20220913.0.x86_64.qcow2"
+# "https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-latest.x86_64.qcow2"
 # otherwise.
 infra_vm_root_image: >-
   {%- if os_distribution == 'ubuntu' %}
@@ -58,7 +58,7 @@ infra_vm_root_image: >-
   {%- elif os_distribution == 'rocky' and os_release == '9' %}
   https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2
   {%- else -%}
-  https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-20220913.0.x86_64.qcow2
+  https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-latest.x86_64.qcow2
   {%- endif %}
 
 # Capacity of the infra VM data volume.

ansible/group_vars/all/inspector

@@ -119,6 +119,18 @@ inspector_rule_deploy_kernel:
       path: "driver_info/deploy_kernel"
       value: "{{ inspector_rule_var_deploy_kernel }}"
 
+# Ironic inspector rule to update deployment kernel from legacy location.
+inspector_rule_legacy_deploy_kernel:
+  description: "Update deploy kernel from legacy"
+  conditions:
+    - field: "node://driver_info.deploy_kernel"
+      op: "eq"
+      value: "{{ inspector_rule_var_legacy_deploy_kernel }}"
+  actions:
+    - action: "set-attribute"
+      path: "driver_info/deploy_kernel"
+      value: "{{ inspector_rule_var_deploy_kernel }}"
+
 # Deployment ramdisk referenced by inspector rule.
 inspector_rule_var_deploy_ramdisk:
 

ansible/group_vars/all/ipa

@@ -47,7 +47,7 @@ ipa_build_dib_elements: >
 ipa_build_dib_env_default:
   # TODO(mgoddard): Use {{ os_release }} here when we use os_distribution
   # above.
-  DIB_RELEASE: "8-stream"
+  DIB_RELEASE: "9-stream"
   DIB_REPOLOCATION_ironic_python_agent: "{{ ipa_build_source_url }}"
   DIB_REPOREF_ironic_python_agent: "{{ ipa_build_source_version }}"
   DIB_REPOREF_requirements: "{{ openstack_branch }}"

ansible/group_vars/all/kolla

@@ -203,11 +203,11 @@ overcloud_container_image_regex_map:
     enabled: "{{ kolla_enable_multipathd | bool }}"
   - regex: ^murano
     enabled: "{{ kolla_enable_murano | bool }}"
-  - regex: neutron-server
+  - regex: "neutron-\\(server\\|metadata-agent\\)"
     enabled: "{{ kolla_enable_neutron | bool }}"
   # Neutron SFC agent not currently supported on CentOS binary builds.
-  - regex: "neutron-\\(dhcp\\|l3\\|metadata\\|linuxbridge\\|openvswitch\\)-agent"
-    enabled: "{{ kolla_enable_neutron | bool }}"
+  - regex: "neutron-\\(dhcp\\|l3\\|linuxbridge\\|openvswitch\\)-agent"
+    enabled: "{{ kolla_build_neutron_ovs | default(kolla_enable_neutron | bool and not kolla_enable_ovn | bool) }}"
   - regex: neutron-mlnx-agent
     enabled: "{{ kolla_enable_neutron_mlnx | bool }}"
   - regex: neutron-sriov-agent
@@ -627,9 +627,15 @@ kolla_ansible_default_custom_passwords: >-
              if compute_libvirt_enabled | bool and compute_libvirt_enable_sasl | bool
              else {}) }}
 
+# Dictionary containing extra custom passwords to add or override in the Kolla
+# passwords file.
+kolla_ansible_extra_custom_passwords: {}
+
 # Dictionary containing custom passwords to add or override in the Kolla
 # passwords file.
-kolla_ansible_custom_passwords: "{{ kolla_ansible_default_custom_passwords }}"
+kolla_ansible_custom_passwords: >-
+  {{ kolla_ansible_default_custom_passwords |
+     combine(kolla_ansible_extra_custom_passwords) }}
 
 ###############################################################################
 # OpenStack API addresses.
@@ -666,7 +672,7 @@ kolla_external_tls_cert:
 # Path to a CA certificate file to use for the OS_CACERT environment variable
 # in public-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
 # default.
-kolla_external_fqdn_cacert:
+kolla_public_openrc_cacert: "{{ kolla_external_fqdn_cacert | default }}"
 
 # Internal API certificate bundle.
 #
@@ -679,7 +685,7 @@ kolla_internal_tls_cert:
 # Path to a CA certificate file to use for the OS_CACERT environment variable
 # in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
 # default.
-kolla_internal_fqdn_cacert:
+kolla_admin_openrc_cacert: "{{ kolla_internal_fqdn_cacert | default }}"
 
 ###############################################################################
 # Proxy configuration

ansible/group_vars/all/overcloud-dib

@@ -42,7 +42,7 @@ overcloud_dib_os_release: "{{ os_release }}"
 overcloud_dib_elements_default:
   - "{{ overcloud_dib_os_element }}"
   - "cloud-init-datasources"
-  - "{% if overcloud_dib_os_element in ['centos', 'rocky'] %}disable-selinux{% endif %}"
+  - "{% if os_distribution in ['centos', 'rocky'] %}disable-selinux{% endif %}"
   - "enable-serial-console"
   - "vm"
 

ansible/group_vars/all/seed

@@ -123,6 +123,10 @@ seed_users: "{{ users_default }}"
 #
 seed_containers: {}
 
+# Whether to attempt a basic authentication login to a registry when
+# deploying seed containers
+seed_deploy_containers_registry_attempt_login: "{{ kolla_docker_registry_username is truthy and kolla_docker_registry_password is truthy }}"
+
 ###############################################################################
 # Seed node firewalld configuration.
 

ansible/group_vars/all/seed-vm

@@ -48,7 +48,7 @@ seed_vm_root_format: qcow2
 # or
 # https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2
 # when os_distribution is "rocky" and os_release is "9"
-# "https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-20220913.0.x86_64.qcow2"
+# "https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-latest.x86_64.qcow2"
 # otherwise.
 seed_vm_root_image: >-
   {%- if os_distribution == 'ubuntu' %}
@@ -58,7 +58,7 @@ seed_vm_root_image: >-
   {%- elif os_distribution == 'rocky' and os_release == '9' %}
   https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2
   {%- else -%}
-  https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-20220913.0.x86_64.qcow2
+  https://cloud.centos.org/centos/8-stream/x86_64/images/CentOS-Stream-GenericCloud-8-latest.x86_64.qcow2
   {%- endif %}
 
 # Capacity of the seed VM data volume.

ansible/group_vars/monitoring/firewall

@@ -19,7 +19,7 @@ firewalld_zones: >
 firewalld_default_zone: >-
   {{ controller_firewalld_default_zone
      if inventory_hostname in groups['controllers'] else
-     monitoring_firewalld_default_zone }}"
+     monitoring_firewalld_default_zone }}
 
 # A list of firewall rules to apply. Each item is a dict containing arguments
 # to pass to the firewalld module. Arguments are omitted if not provided, with
@@ -30,4 +30,4 @@ firewalld_default_zone: >-
 firewalld_rules: >
   {{ controller_firewalld_rules
      if inventory_hostname in groups['controllers'] else
-     monitoring_firewalld_rules }}"
+     monitoring_firewalld_rules }}

ansible/group_vars/seed/docker-registry

@@ -0,0 +1,7 @@
+---
+###############################################################################
+# Seed node docker regsitry configuration.
+
+# Whether to attempt a basic authentication login to a registry when
+# deploying seed containers
+deploy_containers_registry_attempt_login: "{{ seed_deploy_containers_registry_attempt_login }}"

ansible/infra-vm-host-configure.yml

@@ -9,7 +9,7 @@
 - import_playbook: "wipe-disks.yml"
 - import_playbook: "users.yml"
 - import_playbook: "dev-tools.yml"
-- import_playbook: "disable-selinux.yml"
+- import_playbook: "selinux.yml"
 - import_playbook: "network.yml"
 - import_playbook: "firewall.yml"
 - import_playbook: "tuned.yml"

ansible/kayobe-ansible-user.yml

@@ -13,28 +13,23 @@
     - kayobe-ansible-user
   tasks:
     - name: Check whether the host is accessible via SSH
-      local_action:
-        module: command ssh -o BatchMode=yes -p {{ ssh_port }} {{ ssh_user }}@{{ ssh_host }} hostname
-      failed_when: false
+      raw: hostname
+      ignore_unreachable: true
       changed_when: false
       check_mode: no
       register: ssh_result
-      vars:
-        ssh_user: "{{ ansible_user }}"
-        ssh_host: "{{ ansible_host | default(inventory_hostname) }}"
-        ssh_port: "{{ ansible_ssh_port | default('22') }}"
 
     - name: Group hosts requiring kayobe user bootstrapping
       group_by:
-        key: kayobe_user_bootstrap_required_{{ ssh_result.rc != 0 }}
+        key: kayobe_user_bootstrap_required_{{ ssh_result.unreachable | default(false) }}
       changed_when: false
 
     - name: Display a message when bootstrapping is required
       debug:
         msg: >
           Cannot access host via SSH using Kayobe Ansible user account -
           attempting bootstrap
-      when: ssh_result.rc != 0
+      when: ssh_result.unreachable | default(false)
 
 - name: Ensure python is installed
   hosts: kayobe_user_bootstrap_required_True

ansible/kolla-ansible.yml

@@ -93,20 +93,12 @@
           - "{{ kayobe_config_path }}"
         kolla_overcloud_inventory_search_paths: "{{ kolla_overcloud_inventory_search_paths_static + kayobe_env_search_paths }}"
         kolla_ansible_certificates_path: "{{ kayobe_env_config_path }}/kolla/certificates"
-        # NOTE: This differs from the default SELinux mode in kolla ansible,
-        # which is permissive. The justification for using this mode is twofold:
-        # 1. it avoids filling up the audit log
-        # 2. it avoids an issue seen when using diskimage-builder in the bifrost
-        # container.
-        # We could look at making the SELinux mode configurable in future.
-        kolla_selinux_state: disabled
         kolla_inspector_dhcp_pool_start: "{{ inspection_net_name | net_inspection_allocation_pool_start }}"
         kolla_inspector_dhcp_pool_end: "{{ inspection_net_name | net_inspection_allocation_pool_end }}"
         kolla_inspector_netmask: "{{ inspection_net_name | net_mask }}"
         kolla_inspector_default_gateway: "{{ inspection_net_name | net_inspection_gateway or inspection_net_name | net_gateway }}"
         kolla_inspector_extra_kernel_options: "{{ inspector_extra_kernel_options }}"
         kolla_libvirt_tls: "{{ compute_libvirt_enable_tls | bool }}"
-        kolla_enable_host_ntp: false
         docker_daemon_mtu: "{{ public_net_name | net_mtu | default }}"
         kolla_globals_paths_static:
           - "{{ kayobe_config_path }}"

ansible/kolla-bifrost-hostvars.yml

@@ -19,10 +19,10 @@
       ipv4_interface_mac: "{% raw %}{{ extra.pxe_interface_mac | default }}{% endraw %}"
       ipv4_address: "{{ admin_oc_net_name | net_ip }}"
       ipv4_subnet_mask: "{{ admin_oc_net_name | net_mask }}"
-      # If the admin network does not have a gateway defined, use the
-      # seed as a gateway to allow external access until other networks have
-      # been configured.
-      ipv4_gateway: "{{ admin_oc_net_name | net_gateway or admin_oc_net_name | net_ip(seed_host) }}"
+      # If the admin network does not have a gateway defined and seed SNAT is
+      # enabled, use the seed as a gateway to allow external access until other
+      # networks have been configured. Otherwise, do not set any gateway.
+      ipv4_gateway: "{{ (admin_oc_net_name | net_gateway) or (admin_oc_net_name | net_ip(seed_host) if seed_enable_snat | bool) }}"
       ipv4_nameserver: "{{ resolv_nameservers }}"
       network_mtu: "{{ admin_oc_net_name | net_mtu or '1500' }}"
       vlan_id: "{{ '' if admin_oc_net_name == provision_oc_net_name else (admin_oc_net_name | net_vlan) }}"

ansible/kolla-openstack.yml

@@ -94,6 +94,7 @@
     switch_type_to_device_type:
       arista: netmiko_arista_eos
       dellos9: netmiko_dell_force10
+      dellos10: netmiko_dell_os10
       dell-powerconnect: netmiko_dell_powerconnect
       junos: netmiko_juniper
       openvswitch: netmiko_ovs_linux

ansible/overcloud-host-configure.yml

@@ -9,7 +9,7 @@
 - import_playbook: "wipe-disks.yml"
 - import_playbook: "users.yml"
 - import_playbook: "dev-tools.yml"
-- import_playbook: "disable-selinux.yml"
+- import_playbook: "selinux.yml"
 - import_playbook: "network.yml"
 - import_playbook: "firewall.yml"
 - import_playbook: "tuned.yml"

ansible/roles/apt/defaults/main.yml

@@ -48,3 +48,12 @@ apt_repositories: []
 # when replacing the distribution repositories via apt_repositories.
 # Default is false.
 apt_disable_sources_list: false
+
+# List of Apt auth configurations. Each item is a dict with the following keys:
+# * machine: 'machine' entry in the auth file
+# * login: 'login' entry in the auth file
+# * password: 'password' entry in the auth file
+# * filename: Name of a file in /etc/apt/auth.conf.d in which to store
+#   the auth configuration. The extension should be ``.conf``.
+# Default is an empty list.
+apt_auth: []

ansible/roles/apt/files/auth_schema.json

@@ -0,0 +1,28 @@
+{
+    "$schema": "https://json-schema.org/draft/2020-12/schema",
+    "description": "List of Apt auth configurations",
+    "type": "array",
+    "items": {
+        "description": "Apt auth configuration",
+        "type": "object",
+        "required": ["machine", "login", "password", "filename"],
+        "properties": {
+            "machine": {
+                "type": "string",
+		"minLength": 1
+            },
+            "login": {
+                "type": "string",
+		"minLength": 1
+            },
+            "password": {
+                "type": "string",
+		"minLength": 1
+            },
+            "filename": {
+                "type": "string",
+		"minLength": 1
+            }
+        }
+    }
+}

ansible/roles/apt/tasks/auth.yml

@@ -0,0 +1,32 @@
+---
+- name: Validate Apt auth config
+  ansible.utils.validate:
+    criteria: "{{ lookup('ansible.builtin.file', 'auth_schema.json') }}"
+    data: "{{ apt_auth }}"
+
+- name: Ensure the Apt auth.conf.d directory exists
+  ansible.builtin.file:
+    path: "/etc/apt/auth.conf.d"
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+  become: true
+
+- name: Configure Apt auth files
+  ansible.builtin.template:
+    src: "auth.conf.j2"
+    dest: "/etc/apt/auth.conf.d/{{ auth.filename }}"
+    owner: root
+    group: root
+    mode: 0600
+  become: true
+  # apt_auth contains sensitive data, so iterate over indices to avoid exposing
+  # them in Ansible output.
+  loop: "{{ apt_auth | map(attribute='filename') }}"
+  loop_control:
+    index_var: auth_index
+  vars:
+    auth: "{{ apt_auth[auth_index] }}"
+  notify:
+    - Update apt cache

ansible/roles/apt/tasks/keys.yml

@@ -17,3 +17,7 @@
     mode: 0644
   loop: "{{ apt_keys }}"
   become: true
+  register: result
+  until: result is successful
+  retries: 3
+  delay: 5