Use hosts setup playbooks from openstack-ansible-plugins repo

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/924257
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/927826
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/928592
Change-Id: Ie03b41eeb02e3f5e31900926e133d1b34ecb0ac4
This commit is contained in:
Jonathan Rosser 2024-07-16 18:08:25 +01:00
parent 8b5317903d
commit 09d805bc23
10 changed files with 21 additions and 402 deletions

View File

@ -12,18 +12,5 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Create CA certificates
hosts: "{{ openstack_pki_setup_host | default('localhost') }}"
gather_facts: "{{ osa_gather_facts | default(True) }}"
tags:
- always
tasks:
- name: "Create CA certificates"
include_role:
name: pki
tasks_from: main_ca.yml
vars:
pki_dir: "{{ openstack_pki_dir }}"
pki_create_ca: "{{ openstack_pki_authorities | default([]) | length > 0 }}"
pki_regen_ca: "{{ openstack_pki_regen_ca }}"
pki_authorities: "{{ openstack_pki_authorities }}"
- name: Import certificate_authority playbook
import_playbook: openstack.osa.certificate_authority

View File

@ -12,21 +12,5 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Generate any extra user certificates
hosts: "{{ openstack_pki_setup_host | default('localhost') }}"
gather_facts: "{{ osa_gather_facts | default(True) }}"
tags:
- always
tasks:
- name: Create user certificates
include_role:
name: pki
tasks_from: main_certs.yml
vars:
pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
pki_dir: "{{ openstack_pki_dir }}"
cert_dir: "{{ pki_dir }}/certs"
pki_search_certificates_pattern: "user_pki_certificates_"
pki_regen_cert: "{{ user_pki_regen_cert | default(false) }}"
when:
- pki_create_certificates | default(true)
- name: Import certificate_generate playbook
import_playbook: openstack.osa.certificate_generate

View File

@ -12,19 +12,5 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Create SSHD CA
hosts: "{{ openstack_ssh_keypairs_setup_host | default('localhost') }}"
gather_facts: "{{ osa_gather_facts | default(True) }}"
tags:
- always
- sshd-ca
tasks:
- name: "Create SSHD certificate authority"
include_role:
name: openstack.osa.ssh_keypairs
vars:
ssh_keypairs_setup_host: "{{ openstack_ssh_keypairs_setup_host | default('localhost') }}"
ssh_keypairs_dir: "{{ openstack_ssh_keypairs_dir }}"
ssh_keypairs: "{{ openstack_ssh_keypairs_authorities }}"
ssh_keypairs_install_authorities: false
ssh_keypairs_install_keypairs: false
- name: Import certificate_ssh_authority playbook
import_playbook: openstack.osa.certificate_ssh_authority

View File

@ -13,7 +13,5 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Import container hosts playbook
import_playbook: "containers-lxc-host.yml"
- name: Import containers create playbook
import_playbook: "containers-lxc-create.yml"
- name: Import containers_deploy playbook
import_playbook: openstack.osa.containers_deploy

View File

@ -13,103 +13,5 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Set lxc containers group
hosts: "{{ container_group | default('all_containers') }}"
gather_facts: false
tasks:
- name: Setup installation variables
include_role:
name: openstack.osa.install_defaults
defaults_from: "{{ install_method }}"
public: true
apply:
tags:
- always
tags:
- always
- name: Add hosts to dynamic inventory group
group_by:
key: lxc_containers
parents: all_lxc_containers
when:
- container_tech == 'lxc'
tags:
- always
- lxc-containers-create
- name: Gather lxc hosts facts
hosts: "{{ lxc_host_group | default('lxc_hosts') }}"
gather_facts: true
tags:
- always
- name: Create container(s)
hosts: all_lxc_containers
user: root
gather_facts: false
environment: "{{ deployment_environment_variables | default({}) }}"
tags:
- lxc-containers-create
pre_tasks:
- name: Setup installation variables
include_role:
name: openstack.osa.install_defaults
defaults_from: "{{ install_method }}"
public: true
apply:
tags:
- always
tags:
- always
roles:
- role: "lxc_container_create"
post_tasks:
- name: Wait for container connectivity
wait_for_connection:
connect_timeout: "{{ lxc_container_wait_params.connect_timeout | default(omit) }}"
delay: "{{ lxc_container_wait_params.delay | default(omit) }}"
sleep: "{{ lxc_container_wait_params.sleep | default(omit) }}"
timeout: "{{ lxc_container_wait_params.timeout | default(omit) }}"
- name: Clear facts for new container(s)
meta: clear_facts
- name: Gather lxc containers facts
hosts: all_lxc_containers
gather_facts: true
tags:
- always
- name: Configure containers default software
hosts: all_lxc_containers
user: root
gather_facts: false
environment: "{{ deployment_environment_variables | default({}) }}"
tags:
- lxc-containers-create
pre_tasks:
- name: Check for a supported Operating System
assert:
that:
- (ansible_facts['distribution'] == 'Debian' and ansible_facts['distribution_release'] == 'bullseye') or
(ansible_facts['distribution'] == 'Debian' and ansible_facts['distribution_release'] == 'bookworm') or
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_release'] == 'jammy') or
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_release'] == 'noble') or
(ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '9')
msg: >
The only supported platforms for this release are Debian 11 (Bullseye), Debian 12 (Bookworm)
Ubuntu 22.04 (Jammy), CentOS 9 Stream, and Rocky Linux 9.
- name: Setup installation variables
include_role:
name: openstack.osa.install_defaults
defaults_from: "{{ install_method }}"
public: true
apply:
tags:
- always
tags:
- always
roles:
- role: "openstack_hosts"
is_container: true
- name: Import containers_lxc_create playbook
import_playbook: openstack.osa.containers_lxc_create

View File

@ -13,84 +13,5 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Set lxc containers group
hosts: "{{ container_group | default('all_containers') }}"
gather_facts: false
tasks:
- name: Add hosts to dynamic inventory group
group_by:
key: lxc_containers
parents: all_lxc_containers
when:
- container_tech == 'lxc'
tags:
- always
- lxc-containers-create
- name: Destroy lxc containers
hosts: all_lxc_containers
gather_facts: false
user: root
tasks:
- name: Slurp machine-id
slurp:
src: "/etc/machine-id"
register: _container_machine_id
changed_when: false
failed_when: false
tags:
- always
- name: Destroy a container
lxc_container:
name: "{{ container_name }}"
state: "absent"
delegate_to: "{{ physical_host }}"
when:
- force_containers_destroy | bool
- name: Destroy container journal directories
vars:
container_machine_id: "{{ ((_container_machine_id.content | default('bm9uZQo=')) | b64decode).strip() }}"
file:
path: "/var/log/journal/{{ container_machine_id }}"
state: "absent"
delegate_to: "{{ physical_host }}"
when:
- not _container_machine_id is failed
- force_containers_destroy | bool
- name: Destroy container service directories
file:
path: "{{ item }}"
state: "absent"
with_items:
- "/var/lib/lxc/{{ container_name }}"
delegate_to: "{{ physical_host }}"
when:
- force_containers_destroy | bool
- name: Destroy container data
file:
path: "{{ item }}"
state: "absent"
with_items:
- "/openstack/{{ container_name }}"
- "/openstack/backup/{{ container_name }}"
- "/openstack/log/{{ container_name }}"
- "/openstack/glusterd/{{ container_name }}"
- "/var/log/lxc/lxc-{{ container_name }}.log"
delegate_to: "{{ physical_host }}"
when:
- force_containers_destroy | bool
- force_containers_data_destroy | bool
vars_prompt:
- name: "force_containers_destroy"
prompt: "Are you sure you want to destroy the LXC containers?"
default: "no"
private: no
- name: "force_containers_data_destroy"
prompt: "Are you sure you want to destroy the LXC container data?"
default: "no"
private: no
tags:
- lxc-containers-destroy
- name: Import constainers_lxc_destroy playbook
import_playbook: openstack.osa.containers_lxc_destroy

View File

@ -13,50 +13,5 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Gather lxc hosts facts
hosts: "{{ lxc_host_group | default('lxc_hosts') }}"
gather_facts: "{{ osa_gather_facts | default(True) }}"
tags:
- always
- name: Basic lxc host setup
hosts: "{{ lxc_host_group | default('lxc_hosts') }}"
user: root
gather_facts: false
serial: "{{ lxc_hosts_serial | default(['100%']) }}"
environment: "{{ deployment_environment_variables | default({}) }}"
tags:
- lxc-hosts
pre_tasks:
- name: Setup installation variables
include_role:
name: openstack.osa.install_defaults
defaults_from: "{{ install_method }}"
public: true
- name: Check the state of the default LXC service log directory
stat:
path: "/var/log/lxc"
register: _lxc_log_dir
- name: Create the log aggregation parent directory
file:
path: "/openstack/log"
state: directory
mode: "0755"
- name: Move the existing folder to the log aggregation parent
command: "mv /var/log/lxc /openstack/log/{{ inventory_hostname }}-lxc" # noqa: no-changed-when
when:
- _lxc_log_dir.stat.isdir is defined
- _lxc_log_dir.stat.isdir | bool
- name: Create the new LXC service log directory
file:
path: "/openstack/log/{{ inventory_hostname }}-lxc"
state: directory
mode: "0755"
- name: Create the LXC service log aggregation link
file:
src: "/openstack/log/{{ inventory_hostname }}-lxc"
dest: "/var/log/lxc"
state: "link"
roles:
- role: "lxc_hosts"
- name: Import containers_lxc_host playbook
import_playbook: openstack.osa.containers_lxc_host

View File

@ -13,69 +13,5 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# NOTE(mhayden): CentOS always has python (because of yum), but it's possible
# that Ubuntu nodes may not have python by default. Ansible doesn't work very
# well if Python isn't installed.
#
# Also, we can't use a 'when' to check for the ansible_facts['pkg_mgr'] here because
# we haven't gathered facts yet.
- name: Install Ansible prerequisites
hosts: "{{ openstack_host_group|default('hosts') }}"
gather_facts: false
user: root
pre_tasks:
- name: Ensure python is installed
register: result
raw: |
if which apt-get >/dev/null && ! which python >/dev/null ; then
if ! which python3 >/dev/null ; then
apt-get -y install python3
fi
update-alternatives --install /usr/bin/python python /usr/bin/python3 10
exit 2
else
exit 0
fi
changed_when: "result.rc == 2"
failed_when: "result.rc not in [0, 2]"
- name: Gather host facts
hosts: "{{ openstack_host_group|default('hosts') }}"
gather_facts: "{{ osa_gather_facts | default(True) }}"
tags:
- always
- name: Basic host setup
hosts: "{{ openstack_host_group|default('hosts') }}"
gather_facts: false
user: root
pre_tasks:
- name: Setup installation variables
include_role:
name: openstack.osa.install_defaults
defaults_from: "{{ install_method }}"
public: true
apply:
tags:
- always
tags:
- always
- name: Check for a supported Operating System
assert:
that:
- (ansible_facts['distribution'] == 'Debian' and ansible_facts['distribution_release'] == 'bookworm') or
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_release'] == 'jammy') or
(ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_release'] == 'noble') or
(ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '9')
msg: >
The only supported platforms for this release are Debian 12 (Bookworm)
Ubuntu 22.04 (Jammy), CentOS 9 Stream, and Rocky Linux 9.
roles:
- role: "openstack_hosts"
post_tasks:
- name: Ensure deploy host SSH connection is reset
meta: reset_connection
environment: "{{ deployment_environment_variables | default({}) }}"
tags:
- openstack-hosts
- name: Import openstack_hosts_setup playbook
import_playbook: openstack.osa.openstack_hosts_setup

View File

@ -13,34 +13,5 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# As an additional safeguard, this playbook requires the
# 'apply_security_hardening' boolean set to True for it to apply security
# hardening standards to a system.
- name: Gather security hardening facts
hosts: "{{ security_host_group|default('hosts') }}"
gather_facts: "{{ osa_gather_facts | default(True) }}"
tasks:
- name: Gather additional facts
include_role:
name: openstack.osa.gather_extra_facts
vars:
deployment_extra_facts_filter: ansible_mounts
deployment_extra_facts_subset: "!all,hardware"
when: osa_gather_facts | default(True)
tags:
- always
- name: Apply security hardening configurations
hosts: "{{ security_host_group|default('hosts') }}"
gather_facts: false
user: root
pre_tasks:
tasks:
- name: Include security hardening role
include_role:
name: "ansible-hardening"
when: apply_security_hardening | bool
environment: "{{ deployment_environment_variables | default({}) }}"
tags:
- security
- name: Import security_hardening playbook
import_playbook: openstack.osa.security_hardening

View File

@ -1,5 +1,5 @@
---
# Copyright 2014, Rackspace US, Inc.
# Copyright 2024, BBC R&D.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -13,26 +13,5 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Importing pre hook playbook
import_playbook: "{{ pre_setup_hosts_hook | default('hook-dummy.yml') }}"
- name: Importing certificate-authority playbook
import_playbook: certificate-authority.yml
- name: Importing certificate-ssh-authority playbook
import_playbook: certificate-ssh-authority.yml
- name: Importing certificate-generate playbook
import_playbook: certificate-generate.yml
- name: Importing openstack-hosts-setup playbook
import_playbook: openstack-hosts-setup.yml
- name: Importing containers-deploy playbook
import_playbook: containers-deploy.yml
- name: Importing security-hardening playbook
import_playbook: security-hardening.yml
- name: Importing post hook playbook
import_playbook: "{{ post_setup_hosts_hook | default('hook-dummy.yml') }}"
- name: Importing certificate_authority playbook
import_playbook: openstack.osa.setup_hosts