Merge branch 'stackhpc/wallaby' into upstream/wallaby-2023-06-19

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @stackhpc/kayobe

.github/workflows/tag-and-release.yml

@@ -0,0 +1,12 @@
+---
+name: Tag & Release
+'on':
+  push:
+    branches:
+      - stackhpc/wallaby
+permissions:
+  actions: read
+  contents: write
+jobs:
+  tag-and-release:
+    uses: stackhpc/.github/.github/workflows/tag-and-release.yml@main

.github/workflows/tox.yml

@@ -0,0 +1,7 @@
+---
+name: Tox Continuous Integration
+'on':
+  pull_request:
+jobs:
+  tox:
+    uses: stackhpc/.github/.github/workflows/tox.yml@main

ansible/action_plugins/merge_configs.py

@@ -0,0 +1,19 @@
+# Copyright (c) 2021 StackHPC Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+__metaclass__ = type
+
+import kayobe.plugins.action.merge_configs
+
+ActionModule = kayobe.plugins.action.merge_configs.ActionModule

ansible/action_plugins/merge_yaml.py

@@ -0,0 +1,19 @@
+# Copyright (c) 2021 StackHPC Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+__metaclass__ = type
+
+import kayobe.plugins.action.merge_yaml
+
+ActionModule = kayobe.plugins.action.merge_yaml.ActionModule

ansible/apt.yml

@@ -1,6 +1,6 @@
 ---
 - name: Ensure APT is configured
-  hosts: seed-hypervisor:seed:overcloud
+  hosts: seed-hypervisor:seed:overcloud:infra-vms
   vars:
     ansible_python_interpreter: /usr/bin/python3
   tags:

ansible/compute-libvirt-host.yml

@@ -0,0 +1,59 @@
+---
+- name: Ensure the libvirt daemon is configured
+  hosts: compute
+  tags:
+    - libvirt-host
+  tasks:
+    - name: Ensure Ceph package repository is available
+      package:
+        name: "centos-release-ceph-{{ compute_libvirt_ceph_repo_release }}"
+        state: present
+      when:
+        - compute_libvirt_enabled | bool
+        - ansible_facts.distribution in ['CentOS', 'Rocky']
+        - compute_libvirt_ceph_repo_install | bool
+      become: true
+
+    - name: Include stackhpc.libvirt-host role
+      include_role:
+        name: stackhpc.libvirt-host
+      vars:
+        libvirt_host_libvirtd_conf: "{{ compute_libvirt_conf }}"
+        libvirt_host_qemu_conf: "{{ compute_qemu_conf }}"
+        libvirt_host_enable_sasl_support: "{{ compute_libvirt_enable_sasl | bool }}"
+        libvirt_host_sasl_authname: nova
+        libvirt_host_sasl_password: "{{ compute_libvirt_sasl_password }}"
+        libvirt_host_tcp_listen: "{{ not compute_libvirt_enable_tls | bool }}"
+        libvirt_host_tcp_listen_address: "{{ internal_net_name | net_ip }}:16509"
+        libvirt_host_tls_listen: "{{ compute_libvirt_enable_tls | bool }}"
+        libvirt_host_tls_listen_address: "{{ internal_net_name | net_ip }}:16514"
+        # TLS server and client certificates.
+        libvirt_host_tls_server_cert: >-
+          {{ lookup('file', lookup('first_found', lookup_params | combine({'files': ['servercert.pem']})))
+             if libvirt_host_tls_listen | default(False) | bool else '' }}
+        libvirt_host_tls_server_key: >-
+          {{ lookup('file', lookup('first_found', lookup_params | combine({'files': ['serverkey.pem']})))
+             if libvirt_host_tls_listen | default(False) | bool else '' }}
+        libvirt_host_tls_client_cert: >-
+          {{ lookup('file', lookup('first_found', lookup_params | combine({'files': ['clientcert.pem']})))
+             if libvirt_host_tls_listen | default(False) | bool else '' }}
+        libvirt_host_tls_client_key: >-
+          {{ lookup('file', lookup('first_found', lookup_params | combine({'files': ['clientkey.pem']})))
+             if libvirt_host_tls_listen | default(False) | bool else '' }}
+        libvirt_host_tls_cacert: >-
+          {{ lookup('file', lookup('first_found', lookup_params | combine({'files': ['cacert.pem']})))
+             if libvirt_host_tls_listen | default(False) | bool else '' }}
+        lookup_params:
+          paths: "{{ libvirt_tls_cert_paths }}"
+          skip: true
+        # Support loading libvirt TLS certificates & keys from per-host and
+        # global locations.
+        libvirt_tls_cert_paths: >-
+          {{ (libvirt_tls_cert_dirs | unique | product([inventory_hostname]) | map('path_join') | list +
+              libvirt_tls_cert_dirs | unique | list) | list }}
+        libvirt_tls_cert_dirs:
+          - "{{ kayobe_env_config_path }}/certificates/libvirt"
+          - "{{ kayobe_config_path }}/certificates/libvirt"
+        libvirt_host_enable_efi_support: true
+      when:
+        - compute_libvirt_enabled | bool

ansible/dev-tools.yml

@@ -1,6 +1,6 @@
 ---
 - name: Ensure development tools are installed
-  hosts: seed-hypervisor:seed:overcloud
+  hosts: seed-hypervisor:seed:overcloud:infra-vms
   tags:
     - dev-tools
   roles:

ansible/disable-cloud-init.yml

@@ -4,7 +4,7 @@
 # In some cases cloud-init reconfigure automatically network interface
 # and cause some issues in network configuration
 - name: Disable Cloud-init service
-  hosts: overcloud
+  hosts: overcloud:infra-vms
   tags:
     - disable-cloud-init
   roles:

ansible/disable-glean.yml

@@ -3,7 +3,7 @@
 # servers but gets in the way after this as it tries to enable all network
 # interfaces. In some cases this can lead to timeouts.
 - name: Ensure Glean is disabled and its artifacts are removed
-  hosts: seed:overcloud
+  hosts: seed:overcloud:infra-vms
   tags:
     - disable-glean
   roles:

ansible/disable-selinux.yml

@@ -1,6 +1,6 @@
 ---
 - name: Disable SELinux and reboot if required
-  hosts: seed:overcloud
+  hosts: seed:overcloud:infra-vms
   tags:
     - disable-selinux
   roles:

ansible/dnf.yml

@@ -1,6 +1,6 @@
 ---
 - name: Ensure DNF repos are configured
-  hosts: seed-hypervisor:seed:overcloud
+  hosts: seed-hypervisor:seed:overcloud:infra-vms
   vars:
     ansible_python_interpreter: /usr/bin/python3
   tags:

ansible/firewall.yml

@@ -0,0 +1,12 @@
+---
+- name: Ensure firewall is configured
+  hosts: seed-hypervisor:seed:overcloud:infra-vms
+  tags:
+    - config
+    - firewall
+  tasks:
+    - name: Configure the firewall
+      include_role:
+        name: "firewall-{{ ansible_facts.os_family | lower }}"
+      when:
+        - ansible_facts.os_family == 'RedHat'

ansible/group_vars/all/apt

@@ -10,3 +10,38 @@ apt_proxy_http:
 
 # Apt proxy URL for HTTPS. Default is {{ apt_proxy_http }}.
 apt_proxy_https: "{{ apt_proxy_http }}"
+
+# List of Apt configuration options. Each item is a dict with the following
+# keys:
+# * content: free-form configuration file content
+# * filename: name of a file in /etc/apt/apt.conf.d/ in which to write the
+#   configuration
+# Default is an empty list.
+apt_config: []
+
+# List of apt keys. Each item is a dict containing the following keys:
+# * url: URL of key
+# * filename: Name of a file in which to store the downloaded key. The
+#   extension should be '.asc' for ASCII-armoured keys, or '.gpg' otherwise.
+# Default is an empty list.
+apt_keys: []
+
+# A list of Apt repositories. Each item is a dict with the following keys:
+# * types: whitespace-separated list of repository types, e.g. deb or deb-src
+#   (optional, default is 'deb')
+# * url: URL of the repository
+# * suites: whitespace-separated list of suites, e.g. focal (optional, default
+#   is ansible_facts.distribution_release)
+# * components: whitespace-separated list of components, e.g. main (optional,
+#   default is 'main')
+# * signed_by: whitespace-separated list of names of GPG keyring files in
+#   apt_keys_path (optional, default is unset)
+# * architecture: whitespace-separated list of architectures that will be used
+#   (optional, default is unset)
+# Default is an empty list.
+apt_repositories: []
+
+# Whether to disable repositories in /etc/apt/sources.list. This may be used
+# when replacing the distribution repositories via apt_repositories.
+# Default is false.
+apt_disable_sources_list: false

ansible/group_vars/all/bifrost

@@ -58,6 +58,18 @@ kolla_bifrost_dib_env_vars: "{{ kolla_bifrost_dib_env_vars_default | combine(kol
 # List of DIB packages to install.
 kolla_bifrost_dib_packages: []
 
+###############################################################################
+# Disk image deployment configuration.
+
+# Name of disk image file to deploy. Default is "deployment_image.qcow2".
+kolla_bifrost_deploy_image_filename: "deployment_image.qcow2"
+
+# UUID of the root filesystem contained within the deployment image.
+# See below URL for instructions on how to extract it:
+# https://docs.openstack.org/ironic/latest/admin/raid.html#image-requirements
+# Default is none.
+kolla_bifrost_deploy_image_rootfs:
+
 ###############################################################################
 # Ironic configuration.
 

ansible/group_vars/all/compute

@@ -133,3 +133,82 @@ compute_sysctl_parameters: {}
 # List of users to create. This should be in a format accepted by the
 # singleplatform-eng.users role.
 compute_users: "{{ users_default }}"
+
+###############################################################################
+# Compute node firewalld configuration.
+
+# Whether to install and enable firewalld.
+compute_firewalld_enabled: false
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+compute_firewalld_zones: []
+
+# A firewalld zone to set as the default. Default is unset, in which case the
+# default zone will not be changed.
+compute_firewalld_default_zone:
+
+# A list of firewall rules to apply. Each item is a dict containing arguments
+# to pass to the firewalld module. Arguments are omitted if not provided, with
+# the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+compute_firewalld_rules: []
+
+###############################################################################
+# Compute node host libvirt configuration.
+
+# Whether to enable a host libvirt daemon. Default is true if kolla_enable_nova
+# is true and kolla_enable_nova_libvirt_container is false.
+compute_libvirt_enabled: "{{ kolla_enable_nova | bool and not kolla_enable_nova_libvirt_container | bool }}"
+
+# A dict of default configuration options to write to
+# /etc/libvirt/libvirtd.conf.
+compute_libvirt_conf_default:
+  auth_tcp: "{{ 'sasl' if compute_libvirt_enable_sasl | bool else 'none' }}"
+  auth_tls: "{{ 'sasl' if compute_libvirt_enable_sasl | bool else 'none' }}"
+  log_level: "{{ compute_libvirtd_log_level }}"
+
+# A dict of additional configuration options to write to
+# /etc/libvirt/libvirtd.conf.
+compute_libvirt_conf_extra: {}
+
+# A dict of configuration options to write to /etc/libvirt/libvirtd.conf.
+# Default is a combination of compute_libvirt_conf_default and
+# compute_libvirt_conf_extra.
+compute_libvirt_conf: "{{ compute_libvirt_conf_default | combine(compute_libvirt_conf_extra) }}"
+
+# Numerical log level for libvirtd. Default is 3.
+compute_libvirtd_log_level: 3
+
+# A dict of default configuration options to write to
+# /etc/libvirt/qemu.conf.
+compute_qemu_conf_default:
+  max_files: 32768
+  max_processes: 131072
+
+# A dict of additional configuration options to write to
+# /etc/libvirt/qemu.conf.
+compute_qemu_conf_extra: {}
+
+# A dict of configuration options to write to /etc/libvirt/qemu.conf.
+# Default is a combination of compute_qemu_conf_default and
+# compute_qemu_conf_extra.
+compute_qemu_conf: "{{ compute_qemu_conf_default | combine(compute_qemu_conf_extra) }}"
+
+# Whether to enable libvirt SASL authentication. Default is true.
+compute_libvirt_enable_sasl: true
+
+# libvirt SASL password. Default is unset.
+compute_libvirt_sasl_password:
+
+# Whether to enable a libvirt TLS listener. Default is false.
+compute_libvirt_enable_tls: false
+
+# Whether to install a Ceph package repository on CentOS and Rocky hosts.
+# Default is true.
+compute_libvirt_ceph_repo_install: true
+
+# Ceph package repository release to install on CentOS and Rocky hosts when
+# compute_libvirt_ceph_repo_install is true. Default is 'pacific'.
+compute_libvirt_ceph_repo_release: pacific

ansible/group_vars/all/controllers

@@ -155,3 +155,24 @@ controller_sysctl_parameters: {}
 # List of users to create. This should be in a format accepted by the
 # singleplatform-eng.users role.
 controller_users: "{{ users_default }}"
+
+###############################################################################
+# Controller node firewalld configuration.
+
+# Whether to install and enable firewalld.
+controller_firewalld_enabled: false
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+controller_firewalld_zones: []
+
+# A firewalld zone to set as the default. Default is unset, in which case the
+# default zone will not be changed.
+controller_firewalld_default_zone:
+
+# A list of firewall rules to apply. Each item is a dict containing arguments
+# to pass to the firewalld module. Arguments are omitted if not provided, with
+# the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+controller_firewalld_rules: []

ansible/group_vars/all/dnf

@@ -7,12 +7,18 @@ dnf_config: {}
 # Whether or not to use a local Yum mirror. Default value is 'false'.
 dnf_use_local_mirror: false
 
-# Mirror FQDN for Yum repos. Default value is 'mirror.centos.org'.
+# Mirror FQDN for Yum CentOS repos. Default value is 'mirror.centos.org'.
 dnf_centos_mirror_host: 'mirror.centos.org'
 
 # Mirror directory for Yum CentOS repos. Default value is 'centos'.
 dnf_centos_mirror_directory: 'centos'
 
+# Mirror FQDN for Yum Rocky repos. Default value is 'dl.rockylinux.org'.
+dnf_rocky_mirror_host: 'dl.rockylinux.org'
+
+# Mirror directory for Yum Rocky repos. Default value is 'pub/rocky'.
+dnf_rocky_mirror_directory: 'pub/rocky'
+
 # Mirror FQDN for Yum EPEL repos. Default value is
 # 'download.fedoraproject.org'.
 dnf_epel_mirror_host: 'download.fedoraproject.org'

ansible/group_vars/all/globals

@@ -44,13 +44,17 @@ kayobe_ansible_user: "stack"
 ###############################################################################
 # OS distribution.
 
-# OS distribution name. Valid options are "centos", "ubuntu". Default is
-# "centos".
+# OS distribution name. Valid options are "centos", "rocky", "ubuntu". Default
+# is "centos".
 os_distribution: "centos"
 
 # OS release. Valid options are "8-stream" when os_distribution is "centos", or
-# "focal" when os_distribution is "ubuntu".
-os_release: "{{ '8-stream' if os_distribution == 'centos' else 'focal' }}"
+# "8" when os_distribution is "rocky", or "focal" when os_distribution is
+# "ubuntu".
+os_release: >-
+  {{ '8-stream' if os_distribution == 'centos'
+  else '8' if os_distribution == 'rocky'
+  else 'focal' }}
 
 ###############################################################################
 # Ansible configuration.