- name: set enable_sensubility fact
  set_fact:
    enable_sensubility: false
- block:
  - include_role:
      name: tripleo_podman
      tasks_from: tripleo_podman_service
    name: create podman socket and appropriate systemd service
    vars:
      tripleo_podman_socket_path: /var/lib/tripleo-podman/collectd/podman.sock
  - ansible.builtin.copy:
      content: '[Unit]

        Description=ACL setting for /var/lib/tripleo-podman/collectd/podman.sock

        Requires=tripleo_collectd.service

        After=tripleo_podman.service

        After=tripleo_collectd.service


        [Service]

        Type=oneshot

        ExecStart=/usr/bin/podman exec -it collectd setfacl -m m:rwx /run/podman/podman.sock

        ExecStart=/usr/bin/podman exec -it collectd setfacl -R -m u:collectd:rwx /run/podman

        ExecStart=/usr/bin/podman exec -it collectd setfacl -d -m u:collectd:rwx /run/podman


        [Install]

        WantedBy=multi-user.target

        '
      dest: /etc/systemd/system/tripleo_podman_collectd_acl.service
      mode: 420
    become: true
    name: create systemd service for ensuring socket file ACL contains collectd
  - ansible.builtin.service:
      enabled: true
      name: tripleo_podman_collectd_acl.service
    name: enable podman.sock ACL service
  - file:
      mode: '0755'
      path: /var/lib/container-user-scripts
      setype: container_file_t
      state: directory
    name: create directory for downloads of users' scripts
  - ansible.builtin.get_url:
      checksum: '{{ item.checksum }}'
      dest: /var/lib/container-user-scripts/{{ item.name }}
      mode: '0755'
      url: '{{ item.source }}'
    name: download exec scripts
    with_items: []
  name: create podman socket for sensubility purposes
  when:
  - enable_sensubility|bool
  - step|int == 1
- include_role:
    name: tripleo_lvmfilter
  name: Run lvmfilter role
  when:
  - step|int == 1
- block:
  - include_role:
      name: linux-system-roles.certificate
    vars:
      certificate_requests:
      - ca: ipa
        dns: '{{fqdn_internal_api}}'
        key_size: '2048'
        name: metrics_qdr
        principal: metrics_qdr/{{fqdn_internal_api}}@{{idm_realm}}
        run_after: 'container_name=$({{container_cli}} ps --format=\{\{.Names\}\}
          | grep metrics_qdr)

          service_crt="/etc/pki/tls/certs/metrics_qdr.crt"

          service_key="/etc/pki/tls/private/metrics_qdr.key

          # Copy the new cert from the mount-point to the real path

          {{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_crt"
          "$service_crt"

          # Copy the new key from the mount-point to the real path

          {{container_cli}} exec "$container_name" cp "/var/lib/kolla/config_files/src-tls$service_key"
          "$service_key"

          # Set appropriate permissions

          {{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_crt"

          {{container_cli}} exec "$container_name" chown qdrouterd:qdrouterd "$service_key"

          # Trigger a container restart to read the new certificate

          {{container_cli}} restart "$container_name"

          '
  name: Certificate generation
  when:
  - step|int == 1
  - enable_internal_tls
- name: install systemd-container for a greenfield
  package:
    name: systemd-container
    state: present
  when:
  - step|int == 1
  - not check_nova_instances_result.stat.exists
- include_role:
    name: tripleo_nvdimm
  name: manage PMEM namespaces for vPMEM
  vars:
    tripleo_nvdimm_pmem_namespaces: ''
  when:
  - step|int == 1
  - tripleo_nvdimm_pmem_namespaces != ''
- block:
  - name: Enable post-copy by setting unprivileged_userfaultfd
    sysctl:
      name: vm.unprivileged_userfaultfd
      reload: true
      state: present
      sysctl_file: /etc/sysctl.d/99-tripleo-postcopy.conf
      sysctl_set: true
      value: 1
  name: manage OS version 9 specific sysctls
  when:
  - step|int == 1
  - ansible_facts['os_family'] == 'RedHat'
  - ansible_facts['distribution_major_version'] is version('9', '==')
- block:
  - name: is KSM enabled
    set_fact:
      compute_ksm_enabled: false
  - block:
    - become: true
      failed_when: false
      name: Check for ksm
      register: ksm_service_check
      shell: systemctl is-active ksm.service || systemctl is-enabled ksm.service
    - name: disable KSM services
      register: ksmdisabled
      service:
        enabled: false
        name: '{{ item }}'
        state: stopped
      when:
      - ksm_service_check.rc is defined
      - ksm_service_check.rc == 0
      with_items:
      - ksm.service
      - ksmtuned.service
    - command: echo 2 >/sys/kernel/mm/ksm/run
      name: delete PageKSM after disable ksm on compute
      when:
      - ksm_service_check.rc is defined
      - ksm_service_check.rc == 0
      - ksmdisabled is changed
    name: disable KSM on compute
    when: not compute_ksm_enabled|bool
  - block:
    - name: make sure package providing ksmtuned is installed (RHEL8 or CentOS8)
      package:
        name: qemu-kvm-common
        state: present
      when:
      - ansible_facts['distribution_major_version'] is version('8', '==')
    - name: make sure package providing ksmtuned is installed (RHEL9 or CentOS9)
      package:
        name: ksmtuned
        state: present
      when:
      - ansible_facts['distribution_major_version'] is version('9', '==')
    - name: enable ksmtunded
      service:
        enabled: true
        name: '{{ item }}'
        state: started
      with_items:
      - ksm.service
      - ksmtuned.service
    name: enable KSM on compute
    when: compute_ksm_enabled|bool
  name: enable/disable ksm
  when:
  - step|int == 1
- block:
  - file:
      path: '{{ item }}'
      serole: object_r
      setype: cert_t
      seuser: system_u
      state: directory
    name: Create dirs for certificates and keys
    with_items:
    - /etc/pki/libvirt
    - /etc/pki/libvirt/private
    - /etc/pki/qemu
  - include_role:
      name: linux-system-roles.certificate
    vars:
      certificate_requests:
      - ca: ipa
        dns: '{{fqdn_internal_api}}'
        key_size: '2048'
        name: libvirt-server-cert
        principal: libvirt/{{fqdn_internal_api}}@{{idm_realm}}
        run_after: '# Copy cert and key to libvirt dirs

          cp /etc/ipa/ca.crt /etc/pki/CA/cacert.pem

          chown root:root /etc/pki/CA/cacert.pem

          chmod 644 /etc/pki/CA/cacert.pem

          cp /etc/pki/tls/certs/libvirt-server-cert.crt /etc/pki/libvirt/servercert.pem

          cp /etc/pki/tls/private/libvirt-server-cert.key /etc/pki/libvirt/private/serverkey.pem

          podman exec nova_virtproxyd virt-admin server-update-tls virtproxyd || systemctl
          reload tripleo_nova_virtproxyd

          '
      - ca: ipa
        dns: '{{fqdn_internal_api}}'
        key_size: '2048'
        name: libvirt-client-cert
        principal: libvirt/{{fqdn_internal_api}}@{{idm_realm}}
        run_after: '# Copy cert and key to libvirt dirs

          cp /etc/pki/tls/certs/libvirt-client-cert.crt /etc/pki/libvirt/clientcert.pem

          cp /etc/pki/tls/private/libvirt-client-cert.key /etc/pki/libvirt/private/clientkey.pem

          podman exec nova_virtproxyd virt-admin server-update-tls virtproxyd || systemctl
          reload tripleo_nova_virtproxyd

          '
      - ca: ipa
        dns: '{{fqdn_internal_api}}'
        group: qemu
        key_size: '2048'
        name: qemu-server-cert
        owner: root
        principal: qemu/{{fqdn_internal_api}}@{{idm_realm}}
        run_after: '# Copy cert and key to qemu dir

          cp /etc/ipa/ca.crt /etc/pki/qemu/ca-cert.pem

          chown root:root /etc/pki/qemu/ca-cert.pem

          chmod 644 /etc/pki/qemu/ca-cert.pem

          cp -a /etc/pki/tls/certs/qemu-server-cert.crt /etc/pki/qemu/server-cert.pem

          cp -a /etc/pki/tls/private/qemu-server-cert.key /etc/pki/qemu/server-key.pem

          chgrp qemu /etc/pki/qemu/server-*

          chmod 0640 /etc/pki/qemu/server-cert.pem

          chmod 0640 /etc/pki/qemu/server-key.pem

          '
      - ca: ipa
        dns: '{{fqdn_internal_api}}'
        group: qemu
        key_size: '2048'
        name: qemu-client-cert
        owner: root
        principal: qemu/{{fqdn_internal_api}}@{{idm_realm}}
        run_after: '# Copy cert and key to qemu dir

          cp -a /etc/pki/tls/certs/qemu-client-cert.crt /etc/pki/qemu/client-cert.pem

          cp -a /etc/pki/tls/private/qemu-client-cert.key /etc/pki/qemu/client-key.pem

          chgrp qemu /etc/pki/qemu/client-*

          chmod 0640 /etc/pki/qemu/client-cert.pem

          chmod 0640 /etc/pki/qemu/client-key.pem

          '
  name: Certificate generation
  when: step|int == 1
- block:
  - become: true
    containers.podman.podman_image:
      force: true
      name: '{{ prefetch_image }}'
      validate_certs: false
    delay: 5
    loop: '{{ lookup(''template'', tripleo_role_name + ''/docker_config.yaml'', errors=''ignore'')
      | default(''{}'', True) | from_yaml | recursive_get_key_from_dict(key=''image'')
      | unique }}'
    loop_control:
      loop_var: prefetch_image
    name: Pre-fetch all the containers
    register: result
    retries: 5
    until: result is succeeded
  when:
  - (step|int) == 1
- block:
  - include_role:
      name: linux-system-roles.certificate
    vars:
      certificate_requests:
      - ca: ipa
        dns: '{{fqdn_internal_api}}'
        key_size: '2048'
        name: ovn_controller
        principal: ovn_controller/{{fqdn_internal_api}}@{{idm_realm}}
        run_after: 'systemctl restart tripleo_ovn_controller

          '
  name: Certificate generation
  when:
  - step|int == 1
  - enable_internal_tls
- block:
  - include_role:
      name: linux-system-roles.certificate
    vars:
      certificate_requests:
      - ca: ipa
        dns: '{{fqdn_internal_api}}'
        key_size: '2048'
        name: ovn_metadata
        principal: ovn_metadata/{{fqdn_internal_api}}@{{idm_realm}}
        run_after: 'systemctl restart tripleo_ovn_metadata_agent

          '
  name: Certificate generation
  when:
  - step|int == 1
  - enable_internal_tls