# Copyright (c) 2015 Hewlett-Packard Development Company, L.P. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or # implied. # See the License for the specific language governing permissions and # limitations under the License. --- - name: "Fail if authentication configuration conflicts." fail: msg: > noauth_mode and enable_keystone are mutually exclusive options. Please set one to "false". when: > noauth_mode | bool == true and enable_keystone is defined and enable_keystone | bool == true - name: "If VENV is set in the environment, enable installation into venv" set_fact: enable_venv: true when: lookup('env', 'VENV') | length > 0 - name: "Ensure /etc/hosts has good defaults" lineinfile: dest: "/etc/hosts" regexp: "{{ item.regexp }}.*({{ ansible_hostname }}|localhost).*" line: "{{ item.contents }}" with_items: - { regexp: '^127\.0\.0\.1', contents: '127.0.0.1 {{ ansible_hostname }} {{ ansible_fqdn }} localhost' } - { regexp: '^::1', contents: '::1 {{ ansible_hostname }} {{ ansible_fqdn }} localhost ipv6-localhost ipv6-loopback' } # NOTE(sean-k-mooney) only the RabbitMQ server and MySQL db are started # during bootstrapping. all other services are started in the Start phase. - name: "Start database service" service: name={{ mysql_service_name }} state=started enabled=yes when: ironic.database.host == 'localhost' # NOTE(hwoarang): The erlang SUSE package forces epmd to listen on localhost # address which breaks rabbitmq-server when listening on a different address. # Make sure the systemd service and socket are stopped so rabbitmq-server will # start epmd on its own (https://bugzilla.suse.com/show_bug.cgi?id=1003085) - name: "Stop and disable the epmd service and socket on SUSE" service: name={{ item }} state=stopped enabled=no with_items: - epmd.socket - epmd when: ansible_os_family == 'Suse' - name: "Start rabbitmq-server" service: name=rabbitmq-server state=started enabled=yes # NOTE(cinerama): on some systems, rabbit may not be ready when we want to # make changes to users if we don't wait first - name: "Wait for rabbitmq" wait_for: port=5672 delay=5 - name: "Ensure guest user is removed from rabbitmq" rabbitmq_user: user: "guest" state: absent force: yes - name: "Create ironic user in RabbitMQ" rabbitmq_user: user: "ironic" password: "{{ ironic_db_password }}" force: yes state: present configure_priv: ".*" write_priv: ".*" read_priv: ".*" no_log: true - name: "Set mysql_username if environment variable mysql_user is set" set_fact: mysql_username: "{{ lookup('env', 'mysql_user') }}" when: lookup('env', 'mysql_user') | length > 0 no_log: true - name: "Set mysql_password if environment variable mysql_pass is set" set_fact: mysql_password: "{{ lookup('env', 'mysql_pass') }}" when: lookup('env', 'mysql_pass') | length > 0 no_log: true - name: "MySQL - Creating DB" mysql_db: name: "{{ ironic.database.name }}" state: present encoding: utf8 login_user: "{{ mysql_username | default(None) }}" login_password: "{{ mysql_password | default(None) }}" register: test_created_db when: ironic.database.host == 'localhost' - name: "MySQL - Creating user for Ironic" mysql_user: name: "{{ ironic.database.username }}" password: "{{ ironic.database.password }}" priv: "{{ ironic.database.name }}.*:ALL" state: present login_user: "{{ mysql_username | default(None) }}" login_password: "{{ mysql_password | default(None) }}" when: ironic.database.host == 'localhost' - name: "Create an ironic service group" group: name: "ironic" - name: "Create an ironic service user" user: name: "ironic" group: "ironic" - name: "Ensure /etc/ironic exists" file: name: "/etc/ironic" state: directory owner: "ironic" group: "ironic" mode: 0755 # Note(TheJulia): The rootwrap copies will need to be re-tooled # to possibly directly retreive current files if a source install # is not utilized. - name: "Copy rootwrap.conf from ironic source folder" copy: src: "{{ ironic_git_folder }}/etc/ironic/rootwrap.conf" dest: "/etc/ironic/rootwrap.conf" remote_src: yes mode: 0644 owner: root group: root when: skip_install is not defined and enable_pxe_drivers | bool == true # Note(ashestakov): "copy" module in ansible doesn't support recursive # copying on remote host. "cp" command used instead. - name: "Copy rootwrap.d contents from ironic source folder" command: cp -r "{{ ironic_git_folder }}/etc/ironic/rootwrap.d/" "/etc/ironic/rootwrap.d" when: skip_install is not defined and enable_pxe_drivers | bool == true - name: "Populate keystone for Bifrost" include: keystone_setup.yml when: enable_keystone is defined and enable_keystone | bool == true # NOTE(pas-ha) needed to e.g. pick up new interfaces after libvirt install - name: "Refresh facts" setup: - name: "Generate ironic Configuration" include: ironic_config.yml - name: "Copy policy.json to /etc/ironic" copy: src: "{{ ironic_git_folder }}/etc/ironic/policy.json" dest: "/etc/ironic/" remote_src: yes owner: "ironic" group: "ironic" mode: 0644 - name: "Create ironic DB Schema" command: ironic-dbsync --config-file /etc/ironic/ironic.conf create_schema environment: "{{ bifrost_venv_env if enable_venv else '{}' }}" when: > ironic.database.host == 'localhost' and test_created_db.changed | bool == true - name: "Upgrade ironic DB Schema" command: ironic-dbsync --config-file /etc/ironic/ironic.conf upgrade environment: "{{ bifrost_venv_env if enable_venv else '{}' }}" when: > ironic.database.host != 'localhost' or test_created_db.changed | bool == false - name: "Create service folder if systemd template is defined" file: path: "{{ init_dest_dir }}" state: directory mode: 0755 when: init_template == 'systemd_template.j2' - name: "Install ironic-inspector to permit use of inspection interface" include: inspector_bootstrap.yml when: enable_inspector | bool == true - name: "Get ironic-api & ironic-conductor install location" shell: echo $(dirname $(which ironic-api)) register: ironic_install_prefix environment: "{{ bifrost_venv_env if enable_venv else '{}' }}" - name: "Set permissions for /var/lib/ironic for the ironic user" file: path: "{{ item }}" state: directory mode: 0750 owner: "ironic" group: "ironic" with_items: - "/var/lib/ironic" - "/var/lib/ironic/images" - name: "Place ironic services" template: src: "{{ init_template }}" dest: "{{ init_dest_dir }}{{ item.service_name }}{{ init_ext }}" owner: "root" group: "root" with_items: - { service_path: "{{ ironic_install_prefix.stdout | default('') }}", service_name: 'ironic-api', username: 'ironic', args: '--config-file /etc/ironic/ironic.conf'} - { service_path: "{{ ironic_install_prefix.stdout | default('') }}", service_name: 'ironic-conductor', username: 'ironic', args: '--config-file /etc/ironic/ironic.conf'} - name: "Create and populate /tftpboot" include: create_tftpboot.yml - name: "Setup Inventory Hosts Directory" file: path: "/etc/dnsmasq.d/bifrost.hosts.d" state: directory owner: "root" group: "root" mode: 0755 when: "{{ inventory_dhcp | bool == true }}" - name: "Setup Inventory DHCP Hosts Directory" file: path: "/etc/dnsmasq.d/bifrost.dhcp-hosts.d" state: directory owner: "root" group: "root" mode: 0755 when: "{{ inventory_dhcp | bool == true }}" - name: "Deploy dnsmasq configuration file" template: src=dnsmasq.conf.j2 dest=/etc/dnsmasq.conf when: "{{ include_dhcp_server | bool == true }}" # NOTE(Shrews) When testing, we want to use our custom dnsmasq.conf file, # not the one supplied by libvirt. - name: "Look for libvirt dnsmasq config" stat: path=/etc/dnsmasq.d/libvirt-bin register: test_libvirt_dnsmasq when: "{{ include_dhcp_server | bool == true }}" - name: "Disable libvirt dnsmasq config" command: mv /etc/dnsmasq.d/libvirt-bin /etc/dnsmasq.d/libvirt-bin~ when: > include_dhcp_server | bool == true and test_libvirt_dnsmasq.stat.exists | bool == true and testing | bool == true - name: "Deploy nginx configuration file for serving HTTP requests" template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf - name: "Download Ironic Python Agent kernel & image" include: download_ipa_image.yml when: create_ipa_image | bool == false and download_ipa | bool == true - name: "Download cirros to use for deployment if requested" get_url: url: "{{ cirros_deploy_image_upstream_url }}" dest: "{{ deploy_image }}" when: "{{ use_cirros | bool == true }}" - name: > "Explicitly permit nginx port (TCP) for file downloads from nodes to be provisioned" command: > iptables -I INPUT -p tcp --dport {{file_url_port}} -i {{network_interface}} -j ACCEPT - name: "Explicitly permit TCP/6385 for IPA callback" command: > iptables -I INPUT -p tcp --dport 6385 -i {{ network_interface }} -j ACCEPT - block: - name: "Explicitly allow nginx and IPA port (TCP) on selinux" seport: ports: "{{ file_url_port }},6385" proto: tcp setype: http_port_t state: present - name: "Add proper context on created data for http_boot" command: semanage fcontext -a -t httpd_sys_content_t "{{ http_boot_folder }}(/.*)?" - name: Copy ironic policy file to temporary directory copy: src: ironic_policy.te dest: /tmp/ironic_policy.te - name: Check ironic policy module command: checkmodule -M -m -o /tmp/ironic_policy.mod /tmp/ironic_policy.te - name: Package ironic policy module command: semodule_package -m /tmp/ironic_policy.mod -o /tmp/ironic_policy.pp - name: Include ironic policy module command: semodule -i /tmp/ironic_policy.pp - name: Enable ironic policy module command: semodule -e ironic_policy when: (ansible_os_family == 'RedHat' or ansible_os_family == 'Suse') and ansible_selinux.status == 'enabled' and ansible_selinux.mode == "enforcing" - name: "Configure remote logging" template: src=10-rsyslog-remote.conf.j2 dest=/etc/rsyslog.d/10-rsyslog-remote.conf when: remote_syslog_server is defined and remote_syslog_server != ""