Merge branch 'main' into multiple-certs

.github/workflows/openstack-ansibleee-runner.yaml

@@ -53,7 +53,7 @@ jobs:
       uses: redhat-actions/buildah-build@v2
       with:
         image: openstack-ansibleee-runner
-        tags: ${{ env.latesttag }} ${{ github.sha }}
+        tags: ${{ env.latesttag }} ${{ github.sha }} current-podified
         containerfiles: |
           ./openstack_ansibleee/Dockerfile
 

docs/source/playbooks/tripleo_cleanup.rst

@@ -0,0 +1,10 @@
+==========================
+Playbook - tripleo_cleanup
+==========================
+
+Stops and disables all tripleo services running on target hosts.
+Heuristic based on systemd unit name pattern matching is used to determine
+which services should be stopped and disabled.
+
+.. literalinclude:: ../../../playbooks/tripleo_cleanup.yml
+   :language: YAML

docs/source/roles/role-edpm_reboot.rst

@@ -14,20 +14,22 @@ This Ansible role allows to do the following tasks:
 
 * Reboot EDPM computes.
   During deployment reboot is triggered automatically if required. During
-  post-deployment reconfiguration reboot is not started. User has to plan
-  reboot maintenance window and set `edpm_reboot_force_reboot` flag to true.
+  post-deployment reconfiguration or adoption process reboot is not started.
+  User has to plan reboot maintenance window and set `edpm_reboot_strategy`
+  flag to force.
 
-Here is an example of a playbook to start reboot:
+
+Here is an example of a playbook to  force start reboot:
 
 .. code-block:: YAML
 
-    - name: Check and start reboot of nodes if required
+    - name: Force start reboot of nodes
       block:
-        - name: "Check and start reboot of nodes if required"
+        - name: "Force start reboot of nodes"
           include_role:
             name: edpm_reboot
            vars:
-             edpm_reboot_force_reboot: true
+             edpm_reboot_strategy: force
 
 
 .. include::

docs/source/roles/role-edpm_tripleo_cleanup.rst

@@ -0,0 +1,13 @@
+================================
+Role - edpm_tripleo_cleanup
+================================
+
+Role stops and disables all systemd units enumerated to it.
+If the role doesn't recieve list of services, it will instead stop and disable
+all units containing string "tripleo" in their name.
+
+This way we can effectivelly prevent any leftovers of original tripleo based
+deployment from interfering with post-adoption setup.
+
+.. include::
+  ../collections/osp/edpm/edpm_tripleo_cleanup_role.rst

playbooks/tripleo_cleanup.yml

@@ -0,0 +1,27 @@
+---
+# Copyright 2024 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+- name: Cleanup Tripleo services
+  hosts: "{{ edpm_override_hosts | default('all', true) }}"
+  strategy: linear
+  gather_facts: true
+  any_errors_fatal: "{{ edpm_any_errors_fatal | default(true) }}"
+  max_fail_percentage: "{{ edpm_max_fail_percentage | default(0) }}"
+  tasks:
+    - name: Stop and disable Tripleo services
+      ansible.builtin.import_role:
+        name: osp.edpm.edpm_tripleo_cleanup

roles/edpm_bootstrap/tasks/fips.yml

@@ -61,7 +61,7 @@
             mode: "0600"
         - name: Call edpm_reboot role
           vars:
-            edpm_reboot_force_reboot: true
+            edpm_reboot_strategy: force
           ansible.builtin.include_role:
             name: edpm_reboot
 

roles/edpm_neutron_dhcp/tasks/run.yml

@@ -25,7 +25,7 @@
     name: osp.edpm.edpm_container_standalone
   vars:
     edpm_debug: true
-    edpm_container_standalone_service: neutron_dhcp_agent
+    edpm_container_standalone_service: neutron_dhcp
     edpm_container_standalone_container_defs:
       neutron_dhcp_agent: "{{ lookup('template', 'neutron_dhcp_agent.yaml.j2') | from_yaml }}"
     edpm_container_standalone_kolla_config_files:

roles/edpm_ovn/defaults/main.yml

@@ -39,6 +39,7 @@ edpm_ovn_chassis_mac_mapping_prefixes:
 
 edpm_ovn_chassis_mac_mapping_seed: "{{ ansible_machine_id }}"
 edpm_ovn_encap_type: geneve
+edpm_ovn_encap_tos: "0"
 edpm_ovn_dbs: []
 edpm_enable_chassis_gw: false
 edpm_enable_chassis_extport: false
@@ -84,6 +85,7 @@ edpm_ovn_ovs_external_ids:
     {{ chassis_mac_mappings | join(',') }}"
   ovn-encap-ip: "{{ edpm_ovn_encap_ip }}"
   ovn-encap-type: "{{ edpm_ovn_encap_type }}"
+  ovn-encap-tos: "{{ edpm_ovn_encap_tos }}"
   ovn-match-northd-version: "{{ ovn_match_northd_version }}"
   ovn-monitor-all: "{{ ovn_monitor_all }}"
   ovn-remote: >-

roles/edpm_ovn/meta/argument_specs.yml

@@ -82,6 +82,11 @@ argument_specs:
         description: >
           Passed to the `edpm_ovn_ovs_external_ids` as value for the `ovn-encap-type`.
         type: str
+      edpm_ovn_encap_tos:
+        default: '0'
+        description: >
+          Passed to the `edpm_ovn_ovs_external_ids` as value for the `ovn-encap-tos`.
+        type: str
       edpm_ovn_multi_rhel:
         default: false
         description: ''

roles/edpm_ovn/molecule/default/verify-tasks.yml

@@ -13,6 +13,12 @@
   register: output
   failed_when: output.stdout != 'geneve'
 
+- name: Verify ovn-encap-tos
+  ansible.builtin.shell: >
+    /usr/bin/ovs-vsctl get open_vswitch . external_ids:ovn-encap-tos
+  register: output
+  failed_when: output.stdout != '"0"'
+
 - name: Verify ovn firewall rules are applied
   block:
     - name: Rule source file exists

roles/edpm_ovn/molecule/noconfig/verify.yml

@@ -16,3 +16,9 @@
         /usr/bin/ovs-vsctl get open_vswitch . external_ids:ovn-encap-type
       register: output
       failed_when: output.stdout != 'vxlan'
+
+    - name: Verify ovn-encap-tos
+      ansible.builtin.shell: >
+        /usr/bin/ovs-vsctl get open_vswitch . external_ids:ovn-encap-tos
+      register: output
+      failed_when: output.stdout != '"0"'

roles/edpm_pre_adoption_validation/molecule/hostname-adoption-positive/molecule.yml

@@ -4,7 +4,10 @@ dependency:
 driver:
   name: podman
 platforms:
-- name: edpm-0
+# NOTE(gibi): we are forcing FQDN as hostname here. This is not super realistic
+# but works for our testing purposes to simulate that hostname -f returns
+# FQDN
+- name: edpm-0.localdomain
   command: /sbin/init
   dockerfile: ../../../../molecule/common/Containerfile.j2
   image: ${EDPM_ANSIBLE_MOLECULE_IMAGE:-"ubi9/ubi-init"}
@@ -20,7 +23,7 @@ provisioner:
         vars:
           edpm_pre_adoption_validation_tuned_enabled: false
         hosts:
-          edpm-0:
+          edpm-0.localdomain:
             canonical_hostname: edpm-0.localdomain
 
 verifier:

roles/edpm_pre_adoption_validation/molecule/hostname-adoption-positive/prepare.yml

@@ -23,6 +23,12 @@
 - name: Setup DUT
   hosts: all
   pre_tasks:
+    - name: Install hostname
+      become: true
+      ansible.builtin.dnf:
+        name: "hostname"
+        state: present
+
     - name: Ensure old config directory exists
       ansible.builtin.file:
         path: "{{ item.path }}"

roles/edpm_pre_adoption_validation/molecule/hostname-service-config-hostname-mismatch/converge.yml

@@ -0,0 +1,19 @@
+---
+- name: Converge
+  hosts: all
+  tasks:
+    - name: Converge
+      block:
+        - name: "Include role"
+          ansible.builtin.include_role:
+            name: osp.edpm.edpm_pre_adoption_validation
+
+        - name: "Check execution halted"
+          ansible.builtin.fail:
+            msg: "Execution should stop before this task"
+          register: should_not_run
+      rescue:
+        - name: Asset that role failed
+          ansible.builtin.assert:
+            that:
+              - should_not_run is not defined

roles/edpm_pre_adoption_validation/molecule/hostname-service-config-hostname-mismatch/molecule.yml

@@ -0,0 +1,33 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: podman
+platforms:
+- name: edpm-0
+  command: /sbin/init
+  dockerfile: ../../../../molecule/common/Containerfile.j2
+  image: ${EDPM_ANSIBLE_MOLECULE_IMAGE:-"ubi9/ubi-init"}
+  registry:
+    url: ${EDPM_ANSIBLE_MOLECULE_REGISTRY:-"registry.access.redhat.com"}
+  ulimits:
+  - host
+provisioner:
+  name: ansible
+  inventory:
+    hosts:
+      all:
+        vars:
+          edpm_pre_adoption_validation_tuned_enabled: false
+        hosts:
+          edpm-0:
+            canonical_hostname: edpm-0.localdomain
+
+verifier:
+  name: ansible
+scenario:
+  test_sequence:
+     - destroy
+     - create
+     - prepare
+     - converge

roles/edpm_pre_adoption_validation/molecule/hostname-service-config-hostname-mismatch/prepare.yml

@@ -0,0 +1,52 @@
+---
+# Copyright 2023 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+- name: Prepare
+  hosts: all
+  roles:
+    - role: ../../../../molecule/common/test_deps  # noqa: role-name[path]
+    - role: osp.edpm.env_data
+- name: Setup DUT
+  hosts: all
+  pre_tasks:
+    - name: Install hostname
+      become: true
+      ansible.builtin.dnf:
+        name: "hostname"
+        state: present
+
+    - name: Ensure old config directory exists
+      ansible.builtin.file:
+        path: "{{ item.path }}"
+        state: "directory"
+        mode: "0777"
+      loop:
+        - {"path": "/var/lib/config-data/puppet-generated/nova_libvirt/etc/nova/"}
+        - {"path": "/var/lib/config-data/puppet-generated/neutron/etc/neutron/"}
+
+    - name: Copy old configs to simulate a tripleo deployment
+      become: true
+      vars:
+        test_data: "{{ lookup('env', 'MOLECULE_SCENARIO_DIRECTORY') }}/test-data"
+      ansible.builtin.copy:
+        src: "{{ item.src }}"
+        dest: "{{ item.dest }}"
+        mode: preserve
+      loop:
+        - {"src": "{{ test_data }}/old_nova.conf", "dest": "/var/lib/config-data/puppet-generated/nova_libvirt/etc/nova/nova.conf"}
+        - {"src": "{{ test_data }}/old_neutron.conf", "dest": "/var/lib/config-data/puppet-generated/neutron/etc/neutron/neutron.conf"}
+  tasks: []

roles/edpm_pre_adoption_validation/molecule/hostname-service-config-hostname-mismatch/test-data/old_neutron.conf

@@ -0,0 +1,2 @@
+[DEFAULT]
+host=edpm-0.localdomain

roles/edpm_pre_adoption_validation/molecule/hostname-service-config-hostname-mismatch/test-data/old_nova.conf

@@ -0,0 +1,2 @@
+[DEFAULT]
+host = edpm-0.localdomain

roles/edpm_pre_adoption_validation/tasks/hostname.yml

@@ -66,3 +66,15 @@
           - "canonical_hostname: {{ canonical_hostname }}"
           - "old nova service host config: {{ nova_old_config_output.stdout | default('not found') }}"
           - "old neutron service host config: {{ neutron_old_config_output.stdout | default('not found') }}"
+
+- name: Check if hostname -f is consistent with the hostname in nova.conf {{ nova_old_config_output.stdout }}
+  become: true
+  tags:
+    - adoption
+    - validation
+  when: nova_old_config_file.stat.exists
+  ansible.builtin.command:
+    cmd: /usr/bin/hostname -f
+  register: hypervisor_hostname
+  changed_when: false
+  failed_when: hypervisor_hostname.stdout != nova_old_config_output.stdout

roles/edpm_reboot/defaults/main.yaml

@@ -17,7 +17,8 @@
 
 # All variables intended for modification should be placed in this file.
 
-edpm_reboot_force_reboot: false
-edpm_reboot_nova_compute_config_dir: /var/lib/openstack/config/nova
+edpm_reboot_strategy: auto
+edpm_reboot_old_tripleo_node_config_dir: /var/lib/config-data
+edpm_reboot_edpm_node_config_dir: /var/lib/openstack/config
 edpm_reboot_timeout_reboot: 3600
 edpm_reboot_post_reboot_delay: 60

roles/edpm_reboot/meta/argument_specs.yml

@@ -4,17 +4,21 @@ argument_specs:
   main:
     short_description: The main entry point for the edpm_reboot role.
     options:
-      edpm_reboot_force_reboot:
+      edpm_reboot_strategy:
         description: |
-          Force reboot of the node. Automated reboot for nodes is by defulat defered as it can impact running vms.
-          Only on initial run when nova related files are not yet created reboot is not defered.
-          When edpm_reboot_force_reboot is set to true, reboot is allowed and will be perfomed if required.
-        type: bool
-        default: false
-      edpm_reboot_nova_compute_config_dir:
+          Default strategy is auto. In auto mode reboot for deployed nodes is by default defered as it can
+          impact running vms or openstack services. Only on initial run when nova related files are not yet created reboot is not defered.
+          When edpm_reboot_force_reboot is set to force, reboot is allowed and will be perfomed always.
+        type: str
+        default: auto
+      edpm_reboot_old_tripleo_node_config_dir:
         type: path
-        default: /var/lib/openstack/config/nova
-        description: This should be synced with edpm_nova_compute role
+        default: /var/lib/config-data
+        description: Path to check for tripleo pre-adopted nodes
+      edpm_reboot_edpm_node_config_dir:
+        type: path
+        default: /var/lib/openstack/config
+        description: Path for storing configuration of edpm nodes. This should be synced with edpm-ansible roles.
       edpm_reboot_timeout_reboot:
         type: int
         default: 3600