Use hosts setup playbooks from openstack-ansible-plugins repo
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/924257 Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/927826 Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/928592 Change-Id: Ie03b41eeb02e3f5e31900926e133d1b34ecb0ac4
This commit is contained in:
parent
8b5317903d
commit
09d805bc23
@ -12,18 +12,5 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Create CA certificates
|
||||
hosts: "{{ openstack_pki_setup_host | default('localhost') }}"
|
||||
gather_facts: "{{ osa_gather_facts | default(True) }}"
|
||||
tags:
|
||||
- always
|
||||
tasks:
|
||||
- name: "Create CA certificates"
|
||||
include_role:
|
||||
name: pki
|
||||
tasks_from: main_ca.yml
|
||||
vars:
|
||||
pki_dir: "{{ openstack_pki_dir }}"
|
||||
pki_create_ca: "{{ openstack_pki_authorities | default([]) | length > 0 }}"
|
||||
pki_regen_ca: "{{ openstack_pki_regen_ca }}"
|
||||
pki_authorities: "{{ openstack_pki_authorities }}"
|
||||
- name: Import certificate_authority playbook
|
||||
import_playbook: openstack.osa.certificate_authority
|
||||
|
@ -12,21 +12,5 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Generate any extra user certificates
|
||||
hosts: "{{ openstack_pki_setup_host | default('localhost') }}"
|
||||
gather_facts: "{{ osa_gather_facts | default(True) }}"
|
||||
tags:
|
||||
- always
|
||||
tasks:
|
||||
- name: Create user certificates
|
||||
include_role:
|
||||
name: pki
|
||||
tasks_from: main_certs.yml
|
||||
vars:
|
||||
pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
|
||||
pki_dir: "{{ openstack_pki_dir }}"
|
||||
cert_dir: "{{ pki_dir }}/certs"
|
||||
pki_search_certificates_pattern: "user_pki_certificates_"
|
||||
pki_regen_cert: "{{ user_pki_regen_cert | default(false) }}"
|
||||
when:
|
||||
- pki_create_certificates | default(true)
|
||||
- name: Import certificate_generate playbook
|
||||
import_playbook: openstack.osa.certificate_generate
|
||||
|
@ -12,19 +12,5 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Create SSHD CA
|
||||
hosts: "{{ openstack_ssh_keypairs_setup_host | default('localhost') }}"
|
||||
gather_facts: "{{ osa_gather_facts | default(True) }}"
|
||||
tags:
|
||||
- always
|
||||
- sshd-ca
|
||||
tasks:
|
||||
- name: "Create SSHD certificate authority"
|
||||
include_role:
|
||||
name: openstack.osa.ssh_keypairs
|
||||
vars:
|
||||
ssh_keypairs_setup_host: "{{ openstack_ssh_keypairs_setup_host | default('localhost') }}"
|
||||
ssh_keypairs_dir: "{{ openstack_ssh_keypairs_dir }}"
|
||||
ssh_keypairs: "{{ openstack_ssh_keypairs_authorities }}"
|
||||
ssh_keypairs_install_authorities: false
|
||||
ssh_keypairs_install_keypairs: false
|
||||
- name: Import certificate_ssh_authority playbook
|
||||
import_playbook: openstack.osa.certificate_ssh_authority
|
||||
|
@ -13,7 +13,5 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Import container hosts playbook
|
||||
import_playbook: "containers-lxc-host.yml"
|
||||
- name: Import containers create playbook
|
||||
import_playbook: "containers-lxc-create.yml"
|
||||
- name: Import containers_deploy playbook
|
||||
import_playbook: openstack.osa.containers_deploy
|
||||
|
@ -13,103 +13,5 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Set lxc containers group
|
||||
hosts: "{{ container_group | default('all_containers') }}"
|
||||
gather_facts: false
|
||||
tasks:
|
||||
- name: Setup installation variables
|
||||
include_role:
|
||||
name: openstack.osa.install_defaults
|
||||
defaults_from: "{{ install_method }}"
|
||||
public: true
|
||||
apply:
|
||||
tags:
|
||||
- always
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: Add hosts to dynamic inventory group
|
||||
group_by:
|
||||
key: lxc_containers
|
||||
parents: all_lxc_containers
|
||||
when:
|
||||
- container_tech == 'lxc'
|
||||
tags:
|
||||
- always
|
||||
- lxc-containers-create
|
||||
|
||||
- name: Gather lxc hosts facts
|
||||
hosts: "{{ lxc_host_group | default('lxc_hosts') }}"
|
||||
gather_facts: true
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: Create container(s)
|
||||
hosts: all_lxc_containers
|
||||
user: root
|
||||
gather_facts: false
|
||||
environment: "{{ deployment_environment_variables | default({}) }}"
|
||||
tags:
|
||||
- lxc-containers-create
|
||||
pre_tasks:
|
||||
- name: Setup installation variables
|
||||
include_role:
|
||||
name: openstack.osa.install_defaults
|
||||
defaults_from: "{{ install_method }}"
|
||||
public: true
|
||||
apply:
|
||||
tags:
|
||||
- always
|
||||
tags:
|
||||
- always
|
||||
roles:
|
||||
- role: "lxc_container_create"
|
||||
post_tasks:
|
||||
- name: Wait for container connectivity
|
||||
wait_for_connection:
|
||||
connect_timeout: "{{ lxc_container_wait_params.connect_timeout | default(omit) }}"
|
||||
delay: "{{ lxc_container_wait_params.delay | default(omit) }}"
|
||||
sleep: "{{ lxc_container_wait_params.sleep | default(omit) }}"
|
||||
timeout: "{{ lxc_container_wait_params.timeout | default(omit) }}"
|
||||
|
||||
- name: Clear facts for new container(s)
|
||||
meta: clear_facts
|
||||
|
||||
- name: Gather lxc containers facts
|
||||
hosts: all_lxc_containers
|
||||
gather_facts: true
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: Configure containers default software
|
||||
hosts: all_lxc_containers
|
||||
user: root
|
||||
gather_facts: false
|
||||
environment: "{{ deployment_environment_variables | default({}) }}"
|
||||
tags:
|
||||
- lxc-containers-create
|
||||
pre_tasks:
|
||||
- name: Check for a supported Operating System
|
||||
assert:
|
||||
that:
|
||||
- (ansible_facts['distribution'] == 'Debian' and ansible_facts['distribution_release'] == 'bullseye') or
|
||||
(ansible_facts['distribution'] == 'Debian' and ansible_facts['distribution_release'] == 'bookworm') or
|
||||
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_release'] == 'jammy') or
|
||||
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_release'] == 'noble') or
|
||||
(ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '9')
|
||||
msg: >
|
||||
The only supported platforms for this release are Debian 11 (Bullseye), Debian 12 (Bookworm)
|
||||
Ubuntu 22.04 (Jammy), CentOS 9 Stream, and Rocky Linux 9.
|
||||
- name: Setup installation variables
|
||||
include_role:
|
||||
name: openstack.osa.install_defaults
|
||||
defaults_from: "{{ install_method }}"
|
||||
public: true
|
||||
apply:
|
||||
tags:
|
||||
- always
|
||||
tags:
|
||||
- always
|
||||
roles:
|
||||
- role: "openstack_hosts"
|
||||
is_container: true
|
||||
- name: Import containers_lxc_create playbook
|
||||
import_playbook: openstack.osa.containers_lxc_create
|
||||
|
@ -13,84 +13,5 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Set lxc containers group
|
||||
hosts: "{{ container_group | default('all_containers') }}"
|
||||
gather_facts: false
|
||||
tasks:
|
||||
- name: Add hosts to dynamic inventory group
|
||||
group_by:
|
||||
key: lxc_containers
|
||||
parents: all_lxc_containers
|
||||
when:
|
||||
- container_tech == 'lxc'
|
||||
tags:
|
||||
- always
|
||||
- lxc-containers-create
|
||||
|
||||
- name: Destroy lxc containers
|
||||
hosts: all_lxc_containers
|
||||
gather_facts: false
|
||||
user: root
|
||||
tasks:
|
||||
- name: Slurp machine-id
|
||||
slurp:
|
||||
src: "/etc/machine-id"
|
||||
register: _container_machine_id
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: Destroy a container
|
||||
lxc_container:
|
||||
name: "{{ container_name }}"
|
||||
state: "absent"
|
||||
delegate_to: "{{ physical_host }}"
|
||||
when:
|
||||
- force_containers_destroy | bool
|
||||
|
||||
- name: Destroy container journal directories
|
||||
vars:
|
||||
container_machine_id: "{{ ((_container_machine_id.content | default('bm9uZQo=')) | b64decode).strip() }}"
|
||||
file:
|
||||
path: "/var/log/journal/{{ container_machine_id }}"
|
||||
state: "absent"
|
||||
delegate_to: "{{ physical_host }}"
|
||||
when:
|
||||
- not _container_machine_id is failed
|
||||
- force_containers_destroy | bool
|
||||
|
||||
- name: Destroy container service directories
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: "absent"
|
||||
with_items:
|
||||
- "/var/lib/lxc/{{ container_name }}"
|
||||
delegate_to: "{{ physical_host }}"
|
||||
when:
|
||||
- force_containers_destroy | bool
|
||||
- name: Destroy container data
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: "absent"
|
||||
with_items:
|
||||
- "/openstack/{{ container_name }}"
|
||||
- "/openstack/backup/{{ container_name }}"
|
||||
- "/openstack/log/{{ container_name }}"
|
||||
- "/openstack/glusterd/{{ container_name }}"
|
||||
- "/var/log/lxc/lxc-{{ container_name }}.log"
|
||||
delegate_to: "{{ physical_host }}"
|
||||
when:
|
||||
- force_containers_destroy | bool
|
||||
- force_containers_data_destroy | bool
|
||||
vars_prompt:
|
||||
- name: "force_containers_destroy"
|
||||
prompt: "Are you sure you want to destroy the LXC containers?"
|
||||
default: "no"
|
||||
private: no
|
||||
- name: "force_containers_data_destroy"
|
||||
prompt: "Are you sure you want to destroy the LXC container data?"
|
||||
default: "no"
|
||||
private: no
|
||||
tags:
|
||||
- lxc-containers-destroy
|
||||
- name: Import constainers_lxc_destroy playbook
|
||||
import_playbook: openstack.osa.containers_lxc_destroy
|
||||
|
@ -13,50 +13,5 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Gather lxc hosts facts
|
||||
hosts: "{{ lxc_host_group | default('lxc_hosts') }}"
|
||||
gather_facts: "{{ osa_gather_facts | default(True) }}"
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: Basic lxc host setup
|
||||
hosts: "{{ lxc_host_group | default('lxc_hosts') }}"
|
||||
user: root
|
||||
gather_facts: false
|
||||
serial: "{{ lxc_hosts_serial | default(['100%']) }}"
|
||||
environment: "{{ deployment_environment_variables | default({}) }}"
|
||||
tags:
|
||||
- lxc-hosts
|
||||
pre_tasks:
|
||||
- name: Setup installation variables
|
||||
include_role:
|
||||
name: openstack.osa.install_defaults
|
||||
defaults_from: "{{ install_method }}"
|
||||
public: true
|
||||
|
||||
- name: Check the state of the default LXC service log directory
|
||||
stat:
|
||||
path: "/var/log/lxc"
|
||||
register: _lxc_log_dir
|
||||
- name: Create the log aggregation parent directory
|
||||
file:
|
||||
path: "/openstack/log"
|
||||
state: directory
|
||||
mode: "0755"
|
||||
- name: Move the existing folder to the log aggregation parent
|
||||
command: "mv /var/log/lxc /openstack/log/{{ inventory_hostname }}-lxc" # noqa: no-changed-when
|
||||
when:
|
||||
- _lxc_log_dir.stat.isdir is defined
|
||||
- _lxc_log_dir.stat.isdir | bool
|
||||
- name: Create the new LXC service log directory
|
||||
file:
|
||||
path: "/openstack/log/{{ inventory_hostname }}-lxc"
|
||||
state: directory
|
||||
mode: "0755"
|
||||
- name: Create the LXC service log aggregation link
|
||||
file:
|
||||
src: "/openstack/log/{{ inventory_hostname }}-lxc"
|
||||
dest: "/var/log/lxc"
|
||||
state: "link"
|
||||
roles:
|
||||
- role: "lxc_hosts"
|
||||
- name: Import containers_lxc_host playbook
|
||||
import_playbook: openstack.osa.containers_lxc_host
|
||||
|
@ -13,69 +13,5 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# NOTE(mhayden): CentOS always has python (because of yum), but it's possible
|
||||
# that Ubuntu nodes may not have python by default. Ansible doesn't work very
|
||||
# well if Python isn't installed.
|
||||
#
|
||||
# Also, we can't use a 'when' to check for the ansible_facts['pkg_mgr'] here because
|
||||
# we haven't gathered facts yet.
|
||||
- name: Install Ansible prerequisites
|
||||
hosts: "{{ openstack_host_group|default('hosts') }}"
|
||||
gather_facts: false
|
||||
user: root
|
||||
pre_tasks:
|
||||
- name: Ensure python is installed
|
||||
register: result
|
||||
raw: |
|
||||
if which apt-get >/dev/null && ! which python >/dev/null ; then
|
||||
if ! which python3 >/dev/null ; then
|
||||
apt-get -y install python3
|
||||
fi
|
||||
update-alternatives --install /usr/bin/python python /usr/bin/python3 10
|
||||
exit 2
|
||||
else
|
||||
exit 0
|
||||
fi
|
||||
changed_when: "result.rc == 2"
|
||||
failed_when: "result.rc not in [0, 2]"
|
||||
|
||||
- name: Gather host facts
|
||||
hosts: "{{ openstack_host_group|default('hosts') }}"
|
||||
gather_facts: "{{ osa_gather_facts | default(True) }}"
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: Basic host setup
|
||||
hosts: "{{ openstack_host_group|default('hosts') }}"
|
||||
gather_facts: false
|
||||
user: root
|
||||
pre_tasks:
|
||||
- name: Setup installation variables
|
||||
include_role:
|
||||
name: openstack.osa.install_defaults
|
||||
defaults_from: "{{ install_method }}"
|
||||
public: true
|
||||
apply:
|
||||
tags:
|
||||
- always
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: Check for a supported Operating System
|
||||
assert:
|
||||
that:
|
||||
- (ansible_facts['distribution'] == 'Debian' and ansible_facts['distribution_release'] == 'bookworm') or
|
||||
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_release'] == 'jammy') or
|
||||
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_release'] == 'noble') or
|
||||
(ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '9')
|
||||
msg: >
|
||||
The only supported platforms for this release are Debian 12 (Bookworm)
|
||||
Ubuntu 22.04 (Jammy), CentOS 9 Stream, and Rocky Linux 9.
|
||||
roles:
|
||||
- role: "openstack_hosts"
|
||||
post_tasks:
|
||||
- name: Ensure deploy host SSH connection is reset
|
||||
meta: reset_connection
|
||||
environment: "{{ deployment_environment_variables | default({}) }}"
|
||||
tags:
|
||||
- openstack-hosts
|
||||
- name: Import openstack_hosts_setup playbook
|
||||
import_playbook: openstack.osa.openstack_hosts_setup
|
||||
|
@ -13,34 +13,5 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# As an additional safeguard, this playbook requires the
|
||||
# 'apply_security_hardening' boolean set to True for it to apply security
|
||||
# hardening standards to a system.
|
||||
|
||||
- name: Gather security hardening facts
|
||||
hosts: "{{ security_host_group|default('hosts') }}"
|
||||
gather_facts: "{{ osa_gather_facts | default(True) }}"
|
||||
tasks:
|
||||
- name: Gather additional facts
|
||||
include_role:
|
||||
name: openstack.osa.gather_extra_facts
|
||||
vars:
|
||||
deployment_extra_facts_filter: ansible_mounts
|
||||
deployment_extra_facts_subset: "!all,hardware"
|
||||
when: osa_gather_facts | default(True)
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: Apply security hardening configurations
|
||||
hosts: "{{ security_host_group|default('hosts') }}"
|
||||
gather_facts: false
|
||||
user: root
|
||||
pre_tasks:
|
||||
tasks:
|
||||
- name: Include security hardening role
|
||||
include_role:
|
||||
name: "ansible-hardening"
|
||||
when: apply_security_hardening | bool
|
||||
environment: "{{ deployment_environment_variables | default({}) }}"
|
||||
tags:
|
||||
- security
|
||||
- name: Import security_hardening playbook
|
||||
import_playbook: openstack.osa.security_hardening
|
||||
|
@ -1,5 +1,5 @@
|
||||
---
|
||||
# Copyright 2014, Rackspace US, Inc.
|
||||
# Copyright 2024, BBC R&D.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
@ -13,26 +13,5 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Importing pre hook playbook
|
||||
import_playbook: "{{ pre_setup_hosts_hook | default('hook-dummy.yml') }}"
|
||||
|
||||
- name: Importing certificate-authority playbook
|
||||
import_playbook: certificate-authority.yml
|
||||
|
||||
- name: Importing certificate-ssh-authority playbook
|
||||
import_playbook: certificate-ssh-authority.yml
|
||||
|
||||
- name: Importing certificate-generate playbook
|
||||
import_playbook: certificate-generate.yml
|
||||
|
||||
- name: Importing openstack-hosts-setup playbook
|
||||
import_playbook: openstack-hosts-setup.yml
|
||||
|
||||
- name: Importing containers-deploy playbook
|
||||
import_playbook: containers-deploy.yml
|
||||
|
||||
- name: Importing security-hardening playbook
|
||||
import_playbook: security-hardening.yml
|
||||
|
||||
- name: Importing post hook playbook
|
||||
import_playbook: "{{ post_setup_hosts_hook | default('hook-dummy.yml') }}"
|
||||
- name: Importing certificate_authority playbook
|
||||
import_playbook: openstack.osa.setup_hosts
|
||||
|
Loading…
Reference in New Issue
Block a user