- block: - file: path: '{{ item }}' serole: object_r setype: cert_t seuser: system_u state: directory name: Create dirs for certificates and keys with_items: - /etc/pki/tls/certs/httpd - /etc/pki/tls/private/httpd - include_role: name: linux-system-roles.certificate vars: certificate_requests: - ca: ipa dns: '{{ fqdn_ctlplane }}' key_size: '2048' name: httpd-ctlplane principal: HTTP/{{ fqdn_ctlplane }}@{{ idm_realm }} run_after: 'cp /etc/pki/tls/certs/httpd-ctlplane.crt /etc/pki/tls/certs/httpd/httpd-ctlplane.crt cp /etc/pki/tls/private/httpd-ctlplane.key /etc/pki/tls/private/httpd/httpd-ctlplane.key pkill -USR1 httpd ' - ca: ipa dns: '{{ fqdn_storage }}' key_size: '2048' name: httpd-storage principal: HTTP/{{ fqdn_storage }}@{{ idm_realm }} run_after: 'cp /etc/pki/tls/certs/httpd-storage.crt /etc/pki/tls/certs/httpd/httpd-storage.crt cp /etc/pki/tls/private/httpd-storage.key /etc/pki/tls/private/httpd/httpd-storage.key pkill -USR1 httpd ' - ca: ipa dns: '{{ fqdn_storage_mgmt }}' key_size: '2048' name: httpd-storage_mgmt principal: HTTP/{{ fqdn_storage_mgmt }}@{{ idm_realm }} run_after: 'cp /etc/pki/tls/certs/httpd-storage_mgmt.crt /etc/pki/tls/certs/httpd/httpd-storage_mgmt.crt cp /etc/pki/tls/private/httpd-storage_mgmt.key /etc/pki/tls/private/httpd/httpd-storage_mgmt.key pkill -USR1 httpd ' - ca: ipa dns: '{{ fqdn_internal_api }}' key_size: '2048' name: httpd-internal_api principal: HTTP/{{ fqdn_internal_api }}@{{ idm_realm }} run_after: 'cp /etc/pki/tls/certs/httpd-internal_api.crt /etc/pki/tls/certs/httpd/httpd-internal_api.crt cp /etc/pki/tls/private/httpd-internal_api.key /etc/pki/tls/private/httpd/httpd-internal_api.key pkill -USR1 httpd ' - ca: ipa dns: '{{ fqdn_external }}' key_size: '2048' name: httpd-external principal: HTTP/{{ fqdn_external }}@{{ idm_realm }} run_after: 'cp /etc/pki/tls/certs/httpd-external.crt /etc/pki/tls/certs/httpd/httpd-external.crt cp /etc/pki/tls/private/httpd-external.key /etc/pki/tls/private/httpd/httpd-external.key pkill -USR1 httpd ' name: Certificate generation when: - step|int == 1 - enable_internal_tls - import_role: name: tripleo_container_tag name: Cinder Backup tag container image for pacemaker vars: container_image: registry.redhat.io/rhosp-rhel9/openstack-cinder-backup:17.1 container_image_latest: cluster.common.tag/cinder-backup:pcmklatest when: step|int == 1 - import_role: name: tripleo_container_tag name: Cinder Volume tag container image for pacemaker vars: container_image: registry.redhat.io/rhosp-rhel9/openstack-cinder-volume:17.1 container_image_latest: cluster.common.tag/cinder-volume:pcmklatest when: step|int == 1 - block: - name: Check if rsyslog exists register: rsyslog_config shell: systemctl is-active rsyslog - block: - blockinfile: content: 'if $syslogfacility-text == ''{{facility}}'' and $programname == ''haproxy'' then -/var/log/containers/haproxy/haproxy.log & stop ' create: true path: /etc/rsyslog.d/openstack-haproxy.conf name: Forward logging to haproxy.log file register: logconfig vars: facility: local0 - name: restart rsyslog service after logging conf change service: name: rsyslog state: restarted when: logconfig is changed when: - rsyslog_config is changed - rsyslog_config.rc == 0 name: Configure rsyslog for HAproxy container managed by Pacemaker when: step|int == 1 - import_role: name: tripleo_container_tag name: HAproxy tag container image for pacemaker vars: container_image: registry.redhat.io/rhosp-rhel9/openstack-haproxy:17.1 container_image_latest: cluster.common.tag/haproxy:pcmklatest when: step|int == 1 - block: - name: make sure certmonger is installed package: name: certmonger state: present - name: make sure certmonger service is started systemd: enabled: true masked: false name: certmonger.service state: started - file: path: '{{ item }}' serole: object_r setype: cert_t seuser: system_u state: directory name: Create dirs for certificates and keys with_items: - /etc/pki/tls/certs/haproxy - /etc/pki/tls/private/haproxy - delay: 1 name: Extract and trust certmonger's local CA register: local_ca_extract_result retries: 5 shell: 'set -e ca_pem=''/etc/pki/ca-trust/source/anchors/cm-local-ca.pem'' openssl pkcs12 -in /var/lib/certmonger/local/creds -out ${ca_pem} -nokeys -nodes -passin pass:'''' chmod 0644 ${ca_pem} update-ca-trust extract test -e ${ca_pem} && openssl x509 -checkend 0 -noout -in ${ca_pem} ' until: local_ca_extract_result.rc == 0 when: certmonger_ca != 'IPA' and (ipa_realm is not defined) - include_role: name: linux-system-roles.certificate vars: certificate_requests: - ca: '{{ (certmonger_ca == ''IPA'' or idm_realm is defined) | ternary(''ipa'', ''self-sign'') }}' dns: '{{cloud_names.cloud_name_external}}' ip: '{{[cloud_names.cloud_name_external]|ipaddr}}' key_size: '2048' name: haproxy-external-cert principal: haproxy/{{cloud_names.cloud_name_external}}@{{idm_realm|default('UNDERCLOUD')}} run_after: "# Copy crt and key for backward compatibility\ncp \"/etc/pki/tls/certs/haproxy-external-cert.crt\"\ \ \"/etc/pki/tls/certs/haproxy/overcloud-haproxy-external.crt\"\ncp \"/etc/pki/tls/private/haproxy-external-cert.key\"\ \ \"/etc/pki/tls/private/haproxy/overcloud-haproxy-external.key\"\n\nca_type={{\ \ (certmonger_ca == 'IPA' or idm_realm is defined) | ternary('ipa', 'self-sign')\ \ }}\nif [ \"$ca_type\" = \"self-sign\" ]; then\n # refresh the ca cert\ \ just in case the ca cert has been renewed\n ca_pem='/etc/pki/ca-trust/source/anchors/cm-local-ca.pem'\n\ \ openssl pkcs12 -in /var/lib/certmonger/local/creds -out ${ca_pem} -nokeys\ \ -nodes -passin pass:''\n chmod 0644 ${ca_pem}\n update-ca-trust extract\n\ \ test -e ${ca_pem} && openssl x509 -checkend 0 -noout -in ${ca_pem}\n\ \ openssl x509 -in ${ca_pem} -out /tmp/cm-local-ca.pem\n ca_path=\"/tmp/cm-local-ca.pem\"\ \nelse\n ca_path=\"/etc/ipa/ca.crt\"\nfi\n\nservice_crt=\"/etc/pki/tls/certs/haproxy/overcloud-haproxy-external.crt\"\ \nservice_key=\"/etc/pki/tls/private/haproxy/overcloud-haproxy-external.key\"\ \nservice_pem=\"/etc/pki/tls/private/overcloud_endpoint.pem\"\n\ncat \"\ $service_crt\" \"$ca_path\" \"$service_key\" > \"$service_pem\"\n\ncontainer_name=$({{container_cli}}\ \ ps --format=\\{\\{.Names\\}\\} | grep -w -E 'haproxy(-bundle-.*-[0-9]+)?')\n\ # Inject the new pem into the running container\nif echo \"$container_name\"\ \ | grep -q \"^haproxy-bundle\"; then\n # lp#1917868: Do not use podman\ \ cp with HA containers as they get\n # frozen temporarily and that can\ \ make pacemaker operation fail.\n tar -c \"$service_pem\" | {{container_cli}}\ \ exec -i \"$container_name\" tar -C / -xv\n # no need to update the mount\ \ point, because pacemaker\n # recreates the container when it's restarted\n\ else\n # Refresh the pem at the mount-point\n {{container_cli}} cp $service_pem\ \ \"$container_name:/var/lib/kolla/config_files/src-tls/$service_pem\"\n\ \ # Copy the new pem from the mount-point to the real path\n {{container_cli}}\ \ exec \"$container_name\" cp \"/var/lib/kolla/config_files/src-tls$service_pem\"\ \ \"$service_pem\"\nfi\n# Set appropriate permissions\n{{container_cli}}\ \ exec \"$container_name\" chown haproxy:haproxy \"$service_pem\"\n# Trigger\ \ a reload for HAProxy to read the new certificates\n{{container_cli}} kill\ \ --signal HUP \"$container_name\"\n" name: Certificate generation vars: certmonger_ca: '' when: step|int == 1 - block: - file: path: '{{ item }}' serole: object_r setype: cert_t seuser: system_u state: directory name: Create dirs for certificates and keys with_items: - /etc/pki/tls/certs/haproxy - /etc/pki/tls/private/haproxy - include_role: name: linux-system-roles.certificate vars: certificate_requests: - ca: ipa dns: - '{{fqdn_ctlplane}}' - '{{cloud_names.cloud_name_ctlplane}}' key_size: '2048' name: haproxy-ctlplane-cert principal: haproxy/{{fqdn_ctlplane}}@{{idm_realm}} run_after: "# Copy crt and key for backward compatibility\ncp \"/etc/pki/tls/certs/haproxy-ctlplane-cert.crt\"\ \ \"/etc/pki/tls/certs/haproxy/overcloud-haproxy-ctlplane.crt\"\ncp \"/etc/pki/tls/private/haproxy-ctlplane-cert.key\"\ \ \"/etc/pki/tls/private/haproxy/overcloud-haproxy-ctlplane.key\"\n\nca_path=\"\ /etc/ipa/ca.crt\"\nservice_crt=\"/etc/pki/tls/certs/haproxy/overcloud-haproxy-ctlplane.crt\"\ \nservice_key=\"/etc/pki/tls/private/haproxy/overcloud-haproxy-ctlplane.key\"\ \nservice_pem=\"/etc/pki/tls/certs/haproxy/overcloud-haproxy-ctlplane.pem\"\ \n\ncat \"$service_crt\" \"$ca_path\" \"$service_key\" > \"$service_pem\"\ \n\ncontainer_name=$({{container_cli}} ps --format=\\{\\{.Names\\}\\} |\ \ grep -w -E 'haproxy(-bundle-.*-[0-9]+)?')\n# Inject the new pem into the\ \ running container\nif echo \"$container_name\" | grep -q \"^haproxy-bundle\"\ ; then\n # lp#1917868: Do not use podman cp with HA containers as they\ \ get\n # frozen temporarily and that can make pacemaker operation fail.\n\ \ tar -c \"$service_pem\" | {{container_cli}} exec -i \"$container_name\"\ \ tar -C / -xv\n # no need to update the mount point, because pacemaker\n\ \ # recreates the container when it's restarted\nelse\n # Refresh the\ \ pem at the mount-point\n {{container_cli}} cp $service_pem \"$container_name:/var/lib/kolla/config_files/src-tls/$service_pem\"\ \n # Copy the new pem from the mount-point to the real path\n {{container_cli}}\ \ exec \"$container_name\" cp \"/var/lib/kolla/config_files/src-tls$service_pem\"\ \ \"$service_pem\"\nfi\n# Set appropriate permissions\n{{container_cli}}\ \ exec \"$container_name\" chown haproxy:haproxy \"$service_pem\"\n# Trigger\ \ a reload for HAProxy to read the new certificates\n{{container_cli}} kill\ \ --signal HUP \"$container_name\"\n" - ca: ipa dns: - '{{fqdn_storage}}' - '{{cloud_names.cloud_name_storage}}' key_size: '2048' name: haproxy-storage-cert principal: haproxy/{{fqdn_storage}}@{{idm_realm}} run_after: "# Copy crt and key for backward compatibility\ncp \"/etc/pki/tls/certs/haproxy-storage-cert.crt\"\ \ \"/etc/pki/tls/certs/haproxy/overcloud-haproxy-storage.crt\"\ncp \"/etc/pki/tls/private/haproxy-storage-cert.key\"\ \ \"/etc/pki/tls/private/haproxy/overcloud-haproxy-storage.key\"\n\nca_path=\"\ /etc/ipa/ca.crt\"\nservice_crt=\"/etc/pki/tls/certs/haproxy/overcloud-haproxy-storage.crt\"\ \nservice_key=\"/etc/pki/tls/private/haproxy/overcloud-haproxy-storage.key\"\ \nservice_pem=\"/etc/pki/tls/certs/haproxy/overcloud-haproxy-storage.pem\"\ \n\ncat \"$service_crt\" \"$ca_path\" \"$service_key\" > \"$service_pem\"\ \n\ncontainer_name=$({{container_cli}} ps --format=\\{\\{.Names\\}\\} |\ \ grep -w -E 'haproxy(-bundle-.*-[0-9]+)?')\n# Inject the new pem into the\ \ running container\nif echo \"$container_name\" | grep -q \"^haproxy-bundle\"\ ; then\n # lp#1917868: Do not use podman cp with HA containers as they\ \ get\n # frozen temporarily and that can make pacemaker operation fail.\n\ \ tar -c \"$service_pem\" | {{container_cli}} exec -i \"$container_name\"\ \ tar -C / -xv\n # no need to update the mount point, because pacemaker\n\ \ # recreates the container when it's restarted\nelse\n # Refresh the\ \ pem at the mount-point\n {{container_cli}} cp $service_pem \"$container_name:/var/lib/kolla/config_files/src-tls/$service_pem\"\ \n # Copy the new pem from the mount-point to the real path\n {{container_cli}}\ \ exec \"$container_name\" cp \"/var/lib/kolla/config_files/src-tls$service_pem\"\ \ \"$service_pem\"\nfi\n# Set appropriate permissions\n{{container_cli}}\ \ exec \"$container_name\" chown haproxy:haproxy \"$service_pem\"\n# Trigger\ \ a reload for HAProxy to read the new certificates\n{{container_cli}} kill\ \ --signal HUP \"$container_name\"\n" - ca: ipa dns: - '{{fqdn_storage_mgmt}}' - '{{cloud_names.cloud_name_storage_mgmt}}' key_size: '2048' name: haproxy-storage_mgmt-cert principal: haproxy/{{fqdn_storage_mgmt}}@{{idm_realm}} run_after: "# Copy crt and key for backward compatibility\ncp \"/etc/pki/tls/certs/haproxy-storage_mgmt-cert.crt\"\ \ \"/etc/pki/tls/certs/haproxy/overcloud-haproxy-storage_mgmt.crt\"\ncp\ \ \"/etc/pki/tls/private/haproxy-storage_mgmt-cert.key\" \"/etc/pki/tls/private/haproxy/overcloud-haproxy-storage_mgmt.key\"\ \n\nca_path=\"/etc/ipa/ca.crt\"\nservice_crt=\"/etc/pki/tls/certs/haproxy/overcloud-haproxy-storage_mgmt.crt\"\ \nservice_key=\"/etc/pki/tls/private/haproxy/overcloud-haproxy-storage_mgmt.key\"\ \nservice_pem=\"/etc/pki/tls/certs/haproxy/overcloud-haproxy-storage_mgmt.pem\"\ \n\ncat \"$service_crt\" \"$ca_path\" \"$service_key\" > \"$service_pem\"\ \n\ncontainer_name=$({{container_cli}} ps --format=\\{\\{.Names\\}\\} |\ \ grep -w -E 'haproxy(-bundle-.*-[0-9]+)?')\n# Inject the new pem into the\ \ running container\nif echo \"$container_name\" | grep -q \"^haproxy-bundle\"\ ; then\n # lp#1917868: Do not use podman cp with HA containers as they\ \ get\n # frozen temporarily and that can make pacemaker operation fail.\n\ \ tar -c \"$service_pem\" | {{container_cli}} exec -i \"$container_name\"\ \ tar -C / -xv\n # no need to update the mount point, because pacemaker\n\ \ # recreates the container when it's restarted\nelse\n # Refresh the\ \ pem at the mount-point\n {{container_cli}} cp $service_pem \"$container_name:/var/lib/kolla/config_files/src-tls/$service_pem\"\ \n # Copy the new pem from the mount-point to the real path\n {{container_cli}}\ \ exec \"$container_name\" cp \"/var/lib/kolla/config_files/src-tls$service_pem\"\ \ \"$service_pem\"\nfi\n# Set appropriate permissions\n{{container_cli}}\ \ exec \"$container_name\" chown haproxy:haproxy \"$service_pem\"\n# Trigger\ \ a reload for HAProxy to read the new certificates\n{{container_cli}} kill\ \ --signal HUP \"$container_name\"\n" - ca: ipa dns: - '{{fqdn_internal_api}}' - '{{cloud_names.cloud_name_internal_api}}' key_size: '2048' name: haproxy-internal_api-cert principal: haproxy/{{fqdn_internal_api}}@{{idm_realm}} run_after: "# Copy crt and key for backward compatibility\ncp \"/etc/pki/tls/certs/haproxy-internal_api-cert.crt\"\ \ \"/etc/pki/tls/certs/haproxy/overcloud-haproxy-internal_api.crt\"\ncp\ \ \"/etc/pki/tls/private/haproxy-internal_api-cert.key\" \"/etc/pki/tls/private/haproxy/overcloud-haproxy-internal_api.key\"\ \n\nca_path=\"/etc/ipa/ca.crt\"\nservice_crt=\"/etc/pki/tls/certs/haproxy/overcloud-haproxy-internal_api.crt\"\ \nservice_key=\"/etc/pki/tls/private/haproxy/overcloud-haproxy-internal_api.key\"\ \nservice_pem=\"/etc/pki/tls/certs/haproxy/overcloud-haproxy-internal_api.pem\"\ \n\ncat \"$service_crt\" \"$ca_path\" \"$service_key\" > \"$service_pem\"\ \n\ncontainer_name=$({{container_cli}} ps --format=\\{\\{.Names\\}\\} |\ \ grep -w -E 'haproxy(-bundle-.*-[0-9]+)?')\n# Inject the new pem into the\ \ running container\nif echo \"$container_name\" | grep -q \"^haproxy-bundle\"\ ; then\n # lp#1917868: Do not use podman cp with HA containers as they\ \ get\n # frozen temporarily and that can make pacemaker operation fail.\n\ \ tar -c \"$service_pem\" | {{container_cli}} exec -i \"$container_name\"\ \ tar -C / -xv\n # no need to update the mount point, because pacemaker\n\ \ # recreates the container when it's restarted\nelse\n # Refresh the\ \ pem at the mount-point\n {{container_cli}} cp $service_pem \"$container_name:/var/lib/kolla/config_files/src-tls/$service_pem\"\ \n # Copy the new pem from the mount-point to the real path\n {{container_cli}}\ \ exec \"$container_name\" cp \"/var/lib/kolla/config_files/src-tls$service_pem\"\ \ \"$service_pem\"\nfi\n# Set appropriate permissions\n{{container_cli}}\ \ exec \"$container_name\" chown haproxy:haproxy \"$service_pem\"\n# Trigger\ \ a reload for HAProxy to read the new certificates\n{{container_cli}} kill\ \ --signal HUP \"$container_name\"\n" name: Certificate generation when: step|int == 1 - include_role: name: tripleo_lvmfilter name: Run lvmfilter role when: - step|int == 1 - import_role: name: tripleo_container_tag name: Manila Share tag container image for pacemaker vars: container_image: registry.redhat.io/rhosp-rhel9/openstack-manila-share:17.1 container_image_latest: cluster.common.tag/manila-share:pcmklatest when: step|int == 1 - block: - include_role: name: linux-system-roles.certificate vars: certificate_requests: - ca: ipa dns: '{{fqdn_internal_api}}' key_size: '2048' name: memcached principal: memcached/{{fqdn_internal_api}}@{{idm_realm}} run_after: 'container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep memcached) service_crt="/etc/pki/tls/certs/memcached.crt" service_key="/etc/pki/tls/private/memcached.key" # Copy the new cert from the mount-point to the real path {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" # Copy the new key from the mount-point to the real path {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" # Set appropriate permissions {{container_cli}} exec -u root "$container_name" chown memcached:memcached "$service_crt" {{container_cli}} exec -u root "$container_name" chown memcached:memcached "$service_key" # Send refresh_certs command to memcached to read the new certificate memcached_ip="$(hiera -c /etc/puppet/hiera.yaml memcached::listen_ip.0 127.0.0.1)" memcached_port="$(hiera -c /etc/puppet/hiera.yaml memcached::tcp_port 11211)" echo refresh_certs | openssl s_client -connect $memcached_ip:$memcached_port ' name: Certificate generation when: step|int == 1 - block: - include_role: name: linux-system-roles.certificate vars: certificate_requests: - ca: ipa dns: - '{{fqdn_internal_api}}' - '{{cloud_names.cloud_name_internal_api}}' key_size: '2048' name: mysql principal: mysql/{{fqdn_internal_api}}@{{idm_realm}} name: Certificate generation when: - step|int == 1 - enable_internal_tls - import_role: name: tripleo_container_tag name: MySQL tag container image for pacemaker vars: container_image: registry.redhat.io/rhosp-rhel9/openstack-mariadb:17.1 container_image_latest: cluster.common.tag/mariadb:pcmklatest when: step|int == 1 - block: - include_role: name: linux-system-roles.certificate vars: certificate_requests: - ca: ipa dns: '{{fqdn_internal_api}}' key_size: '2048' name: neutron_ovn principal: neutron_ovn/{{fqdn_internal_api}}@{{idm_realm}} name: Certificate generation when: step|int == 1 - block: - include_role: name: linux-system-roles.certificate vars: certificate_requests: - ca: ipa dns: '{{fqdn_internal_api}}' key_size: '2048' name: neutron principal: neutron/{{fqdn_internal_api}}@{{idm_realm}} run_after: 'container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep neutron_dhcp) # The certificate is also installed on the computes, but neutron_dhcp is only # present on the controllers, so we exit if the container could not be found. [[ -z $container_name ]] && exit 0 service_crt="/etc/pki/tls/certs/neutron.crt" service_key="/etc/pki/tls/private/neutron.key" # Copy the new cert from the mount-point to the real path {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" # Copy the new key from the mount-point to the real path {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key "$service_key" # No need to trigger a reload for neutron dhcpd since the cert is not cached ' name: Certificate generation when: - step|int == 1 - enable_internal_tls - name: install systemd-container for a greenfield package: name: systemd-container state: present when: - step|int == 1 - not check_nova_instances_result.stat.exists - include_role: name: tripleo_nvdimm name: manage PMEM namespaces for vPMEM vars: tripleo_nvdimm_pmem_namespaces: '' when: - step|int == 1 - tripleo_nvdimm_pmem_namespaces != '' - block: - name: Enable post-copy by setting unprivileged_userfaultfd sysctl: name: vm.unprivileged_userfaultfd reload: true state: present sysctl_file: /etc/sysctl.d/99-tripleo-postcopy.conf sysctl_set: true value: 1 name: manage OS version 9 specific sysctls when: - step|int == 1 - ansible_facts['os_family'] == 'RedHat' - ansible_facts['distribution_major_version'] is version('9', '==') - block: - name: is KSM enabled set_fact: compute_ksm_enabled: false - block: - become: true failed_when: false name: Check for ksm register: ksm_service_check shell: systemctl is-active ksm.service || systemctl is-enabled ksm.service - name: disable KSM services register: ksmdisabled service: enabled: false name: '{{ item }}' state: stopped when: - ksm_service_check.rc is defined - ksm_service_check.rc == 0 with_items: - ksm.service - ksmtuned.service - command: echo 2 >/sys/kernel/mm/ksm/run name: delete PageKSM after disable ksm on compute when: - ksm_service_check.rc is defined - ksm_service_check.rc == 0 - ksmdisabled is changed name: disable KSM on compute when: not compute_ksm_enabled|bool - block: - name: make sure package providing ksmtuned is installed (RHEL8 or CentOS8) package: name: qemu-kvm-common state: present when: - ansible_facts['distribution_major_version'] is version('8', '==') - name: make sure package providing ksmtuned is installed (RHEL9 or CentOS9) package: name: ksmtuned state: present when: - ansible_facts['distribution_major_version'] is version('9', '==') - name: enable ksmtunded service: enabled: true name: '{{ item }}' state: started with_items: - ksm.service - ksmtuned.service name: enable KSM on compute when: compute_ksm_enabled|bool name: enable/disable ksm when: - step|int == 1 - block: - file: path: '{{ item }}' serole: object_r setype: cert_t seuser: system_u state: directory name: Create dirs for certificates and keys with_items: - /etc/pki/libvirt - /etc/pki/libvirt/private - /etc/pki/qemu - include_role: name: linux-system-roles.certificate vars: certificate_requests: - ca: ipa dns: '{{fqdn_internal_api}}' key_size: '2048' name: libvirt-server-cert principal: libvirt/{{fqdn_internal_api}}@{{idm_realm}} run_after: '# Copy cert and key to libvirt dirs cp /etc/ipa/ca.crt /etc/pki/CA/cacert.pem chown root:root /etc/pki/CA/cacert.pem chmod 644 /etc/pki/CA/cacert.pem cp /etc/pki/tls/certs/libvirt-server-cert.crt /etc/pki/libvirt/servercert.pem cp /etc/pki/tls/private/libvirt-server-cert.key /etc/pki/libvirt/private/serverkey.pem podman exec nova_virtproxyd virt-admin server-update-tls virtproxyd || systemctl reload tripleo_nova_virtproxyd ' - ca: ipa dns: '{{fqdn_internal_api}}' key_size: '2048' name: libvirt-client-cert principal: libvirt/{{fqdn_internal_api}}@{{idm_realm}} run_after: '# Copy cert and key to libvirt dirs cp /etc/pki/tls/certs/libvirt-client-cert.crt /etc/pki/libvirt/clientcert.pem cp /etc/pki/tls/private/libvirt-client-cert.key /etc/pki/libvirt/private/clientkey.pem podman exec nova_virtproxyd virt-admin server-update-tls virtproxyd || systemctl reload tripleo_nova_virtproxyd ' - ca: ipa dns: '{{fqdn_internal_api}}' group: qemu key_size: '2048' name: qemu-server-cert owner: root principal: qemu/{{fqdn_internal_api}}@{{idm_realm}} run_after: '# Copy cert and key to qemu dir cp /etc/ipa/ca.crt /etc/pki/qemu/ca-cert.pem chown root:root /etc/pki/qemu/ca-cert.pem chmod 644 /etc/pki/qemu/ca-cert.pem cp -a /etc/pki/tls/certs/qemu-server-cert.crt /etc/pki/qemu/server-cert.pem cp -a /etc/pki/tls/private/qemu-server-cert.key /etc/pki/qemu/server-key.pem chgrp qemu /etc/pki/qemu/server-* chmod 0640 /etc/pki/qemu/server-cert.pem chmod 0640 /etc/pki/qemu/server-key.pem ' - ca: ipa dns: '{{fqdn_internal_api}}' group: qemu key_size: '2048' name: qemu-client-cert owner: root principal: qemu/{{fqdn_internal_api}}@{{idm_realm}} run_after: '# Copy cert and key to qemu dir cp -a /etc/pki/tls/certs/qemu-client-cert.crt /etc/pki/qemu/client-cert.pem cp -a /etc/pki/tls/private/qemu-client-cert.key /etc/pki/qemu/client-key.pem chgrp qemu /etc/pki/qemu/client-* chmod 0640 /etc/pki/qemu/client-cert.pem chmod 0640 /etc/pki/qemu/client-key.pem ' name: Certificate generation when: step|int == 1 - block: - include_role: name: linux-system-roles.certificate loop: - key_size: '{{ libvirt_vnc_key_size | default(cert_key_size, true) }}' name: libvirt-vnc-client-cert principal: libvirt-vnc/{{ libvirt_network }}@{{ idm_realm }} - key_size: '{{ nova_vnc_key_size | default(cert_key_size, true) }}' name: novnc-proxy principal: novnc-proxy/{{ libvirt_network }}@{{ idm_realm }} loop_control: loop_var: cert name: Execute system role for Nova/Libvirt VNC certs vars: certificate_requests: - ca: ipa dns: '{{ libvirt_network }}' key_size: '{{ cert.key_size }}' name: '{{ cert.name }}' principal: '{{ cert.principal }}' run_after: 'container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep nova_vnc_proxy) service_crt="/etc/pki/tls/certs/{{ cert.name }}.crt" service_key="/etc/pki/tls/private/{{ cert.name }}.key" # Copy the new cert from the mount-point to the real path {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" # Copy the new key from the mount-point to the real path {{container_cli}} exec -u root "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" # Set permissions {{container_cli}} exec -u root "$container_name" chmod 0644 $service_crt {{container_cli}} exec -u root "$container_name" chmod 0640 $service_key {{container_cli}} exec -u root "$container_name" chgrp qemu $service_key # No need to trigger a reload for novnc proxy since the cert is not cached ' name: Certificate generation vars: cert_key_size: '2048' libvirt_network: '{{ fqdn_internal_api }}' libvirt_vnc_key_size: '' nova_vnc_key_size: '' when: step|int == 1 - block: - include_role: name: linux-system-roles.certificate vars: certificate_requests: - ca: ipa dns: '{{fqdn_internal_api}}' key_size: '2048' name: ovn_controller principal: ovn_controller/{{fqdn_internal_api}}@{{idm_realm}} run_after: 'systemctl restart tripleo_ovn_controller ' name: Certificate generation when: - step|int == 1 - enable_internal_tls - name: set is_ovn_dbs_bootstrap_node fact set_fact: is_ovn_dbs_bootstrap_node={{ovn_dbs_short_bootstrap_node_name|lower == ansible_facts['hostname']|lower}} when: - step|int == 1 - ansible.builtin.service_facts: null name: Populate ansible service facts so we can check for pacemaker service when: - is_ovn_dbs_bootstrap_node | bool - step|int == 1 - block: - name: Fetch ovn-dbs-bundle register: ovn_dbs shell: 'pcs status |grep ovn-dbs-bundle ||true ' - name: Fetch ovn VIP register: ovn_vip shell: 'pcs constraint config |grep "with ovn-dbs-bundle" |awk ''{print $1}'' ' - name: Remove OVNDBs from pacemaker pacemaker_resource: resource: ovn-dbs-bundle state: delete when: ovn_dbs.stdout |length > 0 - name: Remove OVNDBs VIP from pacemaker pacemaker_resource: resource: '{{ ovn_vip.stdout }}' state: delete when: ovn_vip.stdout |length > 0 - name: Clean up pacemaker remote nodes cache shell: 'pcs cluster node clear ovn-dbs-bundle-0 pcs cluster node clear ovn-dbs-bundle-1 pcs cluster node clear ovn-dbs-bundle-2 crm_attribute --name OVN_REPL_INFO --delete ' - loop: '{{ ovn_dbs_short_node_names }}' name: Remove pacemaker attributes shell: 'pcs node attribute "{{ item }}" ovn-dbs-role= || true ' name: Remove OVNDBs from Pacemaker when: - step|int == 1 - is_ovn_dbs_bootstrap_node | bool - ansible_facts['services']['pacemaker.service']['state'] | default('unknown') == 'running' - block: - block: - include_role: name: linux-system-roles.certificate vars: certificate_requests: - ca: ipa dns: '{{fqdn_internal_api}}' key_size: '2048' name: ovn_dbs principal: ovn_dbs/{{fqdn_internal_api}}@{{idm_realm}} name: Certificate generation when: enable_internal_tls | bool - block: - include_role: name: tripleo_ovn_cluster name: Configure OVN DBs and northd vars: tripleo_ovn_cluster_dbs_protocol: '{{ enable_internal_tls | ternary(''ssl'', ''tcp'', ''tcp'') }}' tripleo_ovn_cluster_nb_db_port: 6641 tripleo_ovn_cluster_nb_local_port: 6643 tripleo_ovn_cluster_nb_remote_port: 6643 tripleo_ovn_cluster_nb_ssl_ca_cert: /etc/ipa/ca.crt tripleo_ovn_cluster_network: internal_api tripleo_ovn_cluster_northd_ssl_ca_cert: /etc/ipa/ca.crt tripleo_ovn_cluster_sb_db_port: 6642 tripleo_ovn_cluster_sb_local_port: 6644 tripleo_ovn_cluster_sb_remote_port: 6644 tripleo_ovn_cluster_sb_ssl_ca_cert: /etc/ipa/ca.crt name: Prepare OVN cluster when: step|int == 1 - block: - include_role: name: linux-system-roles.certificate vars: certificate_requests: - ca: ipa dns: '{{fqdn_internal_api}}' key_size: '2048' name: ovn_metadata principal: ovn_metadata/{{fqdn_internal_api}}@{{idm_realm}} run_after: 'systemctl restart tripleo_ovn_metadata_agent ' name: Certificate generation when: - step|int == 1 - enable_internal_tls - block: - include_role: name: linux-system-roles.certificate vars: certificate_requests: - ca: ipa dns: '{{fqdn_internal_api}}' key_size: '2048' name: ovn_octavia principal: ovn_octavia/{{fqdn_internal_api}}@{{idm_realm}} name: Certificate generation when: step|int == 1 - block: - include_role: name: linux-system-roles.certificate vars: certificate_requests: - ca: ipa dns: '{{fqdn_internal_api}}' key_size: '2048' name: rabbitmq principal: rabbitmq/{{fqdn_internal_api}}@{{idm_realm}} run_after: "container_name=$({{container_cli}} ps --format=\\{\\{.Names\\\ }\\} | grep -w -E 'rabbitmq(-bundle-.*-[0-9]+)?')\nservice_crt=\"/etc/pki/tls/certs/rabbitmq.crt\"\ \nservice_key=\"/etc/pki/tls/private/rabbitmq.key\"\nif echo \"$container_name\"\ \ | grep -q \"^rabbitmq-bundle\"; then\n # lp#1917868: Do not use podman\ \ cp with HA containers as they get\n # frozen temporarily and that can\ \ make pacemaker operation fail.\n tar -c \"$service_crt\" \"$service_key\"\ \ | {{container_cli}} exec -i \"$container_name\" tar -C / -xv\n # no need\ \ to update the mount point, because pacemaker\n # recreates the container\ \ when it's restarted\nelse\n # Refresh the cert at the mount-point\n \ \ {{container_cli}} cp $service_crt \"$container_name:/var/lib/kolla/config_files/src-tls/$service_crt\"\ \n # Refresh the key at the mount-point\n {{container_cli}} cp $service_key\ \ \"$container_name:/var/lib/kolla/config_files/src-tls/$service_key\"\n\ \ # Copy the new cert from the mount-point to the real path\n {{container_cli}}\ \ exec -u root \"$container_name\" cp \"/var/lib/kolla/config_files/src-tls$service_crt\"\ \ \"$service_crt\"\n # Copy the new key from the mount-point to the real\ \ path\n {{container_cli}} exec -u root \"$container_name\" cp \"/var/lib/kolla/config_files/src-tls$service_key\"\ \ \"$service_key\"\nfi\n# Set appropriate permissions\n{{container_cli}}\ \ exec -u root \"$container_name\" chown rabbitmq:rabbitmq \"$service_crt\"\ \n{{container_cli}} exec -u root \"$container_name\" chown rabbitmq:rabbitmq\ \ \"$service_key\"\n# Trigger a pem cache clear in RabbitMQ to read the\ \ new certificates\n{{container_cli}} exec \"$container_name\" rabbitmqctl\ \ eval \"ssl:clear_pem_cache().\"\n" name: Certificate generation when: - step|int == 1 - enable_internal_tls - import_role: name: tripleo_container_tag name: RabbitMQ tag container image for pacemaker vars: container_image: registry.redhat.io/rhosp-rhel9/openstack-rabbitmq:17.1 container_image_latest: cluster.common.tag/rabbitmq:pcmklatest when: step|int == 1 - block: - become: true containers.podman.podman_image: force: true name: '{{ prefetch_image }}' validate_certs: false delay: 5 loop: '{{ lookup(''template'', tripleo_role_name + ''/docker_config.yaml'', errors=''ignore'') | default(''{}'', True) | from_yaml | recursive_get_key_from_dict(key=''image'') | unique }}' loop_control: loop_var: prefetch_image name: Pre-fetch all the containers register: result retries: 5 until: result is succeeded when: - (step|int) == 1 - block: - include_role: name: linux-system-roles.certificate vars: certificate_requests: - ca: ipa dns: - '{{fqdn_internal_api}}' - '{{cloud_names.cloud_name_internal_api}}' key_size: '2048' name: redis principal: redis/{{fqdn_internal_api}}@{{idm_realm}} run_after: 'container_name=$({{container_cli}} ps --format=\{\{.Names\}\} | grep redis_tls_proxy) service_crt="/etc/pki/tls/certs/redis.crt" service_key="/etc/pki/tls/private/redis.key" # Copy the new cert from the mount-point to the real path {{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt" "$service_crt" # Copy the new cert from the mount-point to the real path {{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key" "$service_key" # Set appropriate permissions {{container_cli}} exec "$container_name" chown memcached:memcached "$service_crt" {{container_cli}} exec "$container_name" chown memcached:memcached "$service_key" # Trigger a reload for stunnel to read the new certificate {{container_cli}} exec pkill -o -HUP stunnel ' name: Certificate generation when: - step|int == 1 - enable_internal_tls - import_role: name: tripleo_container_tag name: Redis tag container image for pacemaker vars: container_image: registry.redhat.io/rhosp-rhel9/openstack-redis:17.1 container_image_latest: cluster.common.tag/redis:pcmklatest when: step|int == 1 - block: - name: Check if rsyslog exists register: swift_rsyslog_config shell: systemctl is-active rsyslog - copy: content: '# Fix for https://bugs.launchpad.net/tripleo/+bug/1776180 local2.* /var/log/containers/swift/swift.log & stop ' dest: /etc/rsyslog.d/openstack-swift.conf name: Forward logging to swift.log file register: swift_logconfig when: - swift_rsyslog_config is defined - swift_rsyslog_config.rc == 0 - name: Restart rsyslogd service after logging conf change service: name: rsyslog state: restarted when: - swift_logconfig is defined - swift_logconfig is changed name: Configure rsyslog for swift when: - step|int == 1