- block:
  - name: fix grub entries to have name start with GRUB_
    replace:
      path: /etc/default/grub
      regexp: ^(TRIPLEO_HEAT_TEMPLATE_KERNEL_ARGS)(.*)
      replace: GRUB_\1\2
  - name: fix grub entries in append statement
    replace:
      path: /etc/default/grub
      regexp: (.*){(TRIPLEO_HEAT_TEMPLATE_KERNEL_ARGS)}(.*)
      replace: \1{GRUB_\2}\3
  name: upgrade prepare for leapp to align kernel arg shortcommings in leapp
  tags:
  - never
  - system_upgrade
  - system_upgrade_prepare
  when:
  - step|int == 3
  - upgrade_leapp_enabled
- include_role:
    name: tripleo_podman
    tasks_from: tripleo_podman_rsyslog_cleanup
  name: remove rsyslog configuration for podman healthcheck log
- containers.podman.podman_image:
    force: true
    name: registry.redhat.io/rhosp-rhel9/openstack-collectd:17.1
  name: Force pull image collectd
  tags:
  - never
  - system_upgrade
  - system_upgrade_run
  when:
  - step|int == 3
- block:
  - mount:
      fstype: nfs4
      name: /var/lib/nova/instances
      state: absent
    name: Unmount Nova NFS Share
    vars:
      nfs_backend_enable: false
    when: nfs_backend_enable|bool
  name: nova_compute pre system_upgrade tasks
  tags:
  - never
  - system_upgrade
  - system_upgrade_run
  - system_upgrade_nfsmounts
  when:
  - step|int == 3
  - upgrade_leapp_enabled
- block:
  - args:
      creates: /etc/sysconfig/ip6tables.n-o-upgrade
    name: blank ipv6 rule before activating ipv6 firewall.
    shell: cat /etc/sysconfig/ip6tables > /etc/sysconfig/ip6tables.n-o-upgrade; cat</dev/null>/etc/sysconfig/ip6tables
  - name: cleanup unmanaged rules pushed by iptables-services
    shell: "iptables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null\
      \ && \\\n  iptables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n\
      iptables -C INPUT -p icmp -j ACCEPT &>/dev/null && \\\n  iptables -D INPUT -p\
      \ icmp -j ACCEPT\niptables -C INPUT -i lo -j ACCEPT &>/dev/null && \\\n  iptables\
      \ -D INPUT -i lo -j ACCEPT\niptables -C INPUT -p tcp -m state --state NEW -m\
      \ tcp --dport 22 -j ACCEPT &>/dev/null && \\\n  iptables -D INPUT -p tcp -m\
      \ state --state NEW -m tcp --dport 22 -j ACCEPT\niptables -C INPUT -j REJECT\
      \ --reject-with icmp-host-prohibited &>/dev/null && \\\n  iptables -D INPUT\
      \ -j REJECT --reject-with icmp-host-prohibited\niptables -C FORWARD -j REJECT\
      \ --reject-with icmp-host-prohibited &>/dev/null && \\\n  iptables -D FORWARD\
      \ -j REJECT --reject-with icmp-host-prohibited\n\nsed -i '/^-A INPUT -m state\
      \ --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/iptables\nsed -i\
      \ '/^-A INPUT -p icmp -j ACCEPT$/d' /etc/sysconfig/iptables\nsed -i '/^-A INPUT\
      \ -i lo -j ACCEPT$/d' /etc/sysconfig/iptables\nsed -i '/^-A INPUT -p tcp -m\
      \ state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/iptables\n\
      sed -i '/^-A INPUT -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables\n\
      sed -i '/^-A FORWARD -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables\n\
      \nip6tables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null\
      \ && \\\n  ip6tables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n\
      ip6tables -C INPUT -p ipv6-icmp -j ACCEPT &>/dev/null && \\\n  ip6tables -D\
      \ INPUT -p ipv6-icmp -j ACCEPT\nip6tables -C INPUT -i lo -j ACCEPT &>/dev/null\
      \ && \\\n  ip6tables -D INPUT -i lo -j ACCEPT\nip6tables -C INPUT -p tcp -m\
      \ state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \\\n  ip6tables\
      \ -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT\nip6tables\
      \ -C INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT\
      \ &>/dev/null && \\\n  ip6tables -D INPUT -d fe80::/64 -p udp -m udp --dport\
      \ 546 -m state --state NEW -j ACCEPT\nip6tables -C INPUT -j REJECT --reject-with\
      \ icmp6-adm-prohibited &>/dev/null && \\\n  ip6tables -D INPUT -j REJECT --reject-with\
      \ icmp6-adm-prohibited\nip6tables -C FORWARD -j REJECT --reject-with icmp6-adm-prohibited\
      \ &>/dev/null && \\\n  ip6tables -D FORWARD -j REJECT --reject-with icmp6-adm-prohibited\n\
      \nsed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/ip6tables\n\
      sed -i '/^-A INPUT -p ipv6-icmp -j ACCEPT$/d' /etc/sysconfig/ip6tables\nsed\
      \ -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/ip6tables\nsed -i '/^-A\
      \ INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/ip6tables\n\
      sed -i '/^-A INPUT -d fe80::\\/64 -p udp -m udp --dport 546 -m state --state\
      \ NEW -j ACCEPT$/d' /etc/sysconfig/ip6tables\nsed -i '/^-A INPUT -j REJECT --reject-with\
      \ icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables\nsed -i '/^-A FORWARD -j\
      \ REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables"
  when:
  - (step | int) == 3
- name: Gather missing facts
  setup:
    gather_subset:
    - '!all'
    - '!min'
    - distribution
  tags:
  - always
- name: Set leapp facts
  set_fact:
    upgrade_leapp_command_options: ''
    upgrade_leapp_debug: false
    upgrade_leapp_devel_skip: ''
    upgrade_leapp_enabled: "{{ _upgradeLeappEnabled | bool and\n   ansible_facts['distribution']\
      \ == 'RedHat' and\n   ansible_facts['distribution_major_version'] is version('8',\
      \ '==') }}"
    upgrade_leapp_post_reboot_delay: 120
    upgrade_leapp_reboot_timeout: 3600
  tags:
  - always
  vars:
    _upgradeLeappEnabled: false
- block:
  - name: Run LeappRepoInitCommand
    shell: '#!/bin/bash


      '
  - name: Remove firewalld bindings
    package:
      name: python3-firewall
      state: absent
  - name: install leapp
    package:
      name: leapp-repository-openstack
      state: latest
  - name: Run LeappInitCommand
    shell: '#!/bin/bash


      '
  - name: Remove vdo
    package:
      name: vdo
      state: absent
  - lineinfile:
      line: '{{ item }}'
      path: /etc/leapp/transaction/to_remove
    loop: '{{ pkg_to_remove }}'
    name: add packages into Leapp's to_remove file
    vars:
      pkg_to_remove: []
  - lineinfile:
      line: '{{ item }}'
      path: /etc/leapp/transaction/to_install
    loop: '{{ pkg_to_install }}'
    name: add packages into Leapp's to_install file
    vars:
      pkg_to_install: []
  - name: check sshd_config file
    register: sshd_config_result
    stat:
      path: /etc/ssh/sshd_config
  - lineinfile:
      line: PermitRootLogin without-password
      path: /etc/ssh/sshd_config
      regexp: ^(# *)?PermitRootLogin
    name: add PermitRootLogin option for leapp
  - name: Remove paunch-services
    package:
      name: paunch-services
      state: absent
  - import_role:
      name: tripleo_container_manage
      tasks_from: shutdown.yml
    name: tripleo_container_manage reconfiguration
  name: system_upgrade_prepare step 3
  tags:
  - never
  - system_upgrade
  - system_upgrade_prepare
  when:
  - step|int == 3
  - upgrade_leapp_enabled
- block:
  - name: Check for os-net-config upgrade
    register: os_net_config_need_upgrade
    shell: yum check-upgrade | awk '/os-net-config/{print}'
  - name: Check that os-net-config has legacy configuration
    register: stat_config_json
    stat:
      get_attributes: false
      get_checksum: false
      get_mime: false
      path: /etc/os-net-config/config.json
  - name: Check that os-net-config has new configuration
    register: stat_config_yaml
    stat:
      get_attributes: false
      get_checksum: false
      get_mime: false
      path: /etc/os-net-config/config.yaml
  - name: Slurp the os-net-config config.json
    register: os_config_json
    slurp:
      src: /etc/os-net-config/config.json
    when:
    - stat_config_json.stat.exists
    - not stat_config_yaml.stat.exists
  - copy:
      content: '{{ os_config_json.content | b64decode | from_json | to_yaml }}'
      dest: /etc/os-net-config/config.yaml
    name: Write updated /etc/os-net-config/config.yaml
    when:
    - stat_config_json.stat.exists
    - not stat_config_yaml.stat.exists
  - command: mv /etc/os-net-config/config.json /etc/os-net-config/deprecated_config.json
    name: Remove legacy os-net-config configuration
    when:
    - stat_config_json.stat.exists
  - block:
    - name: Upgrade os-net-config
      package: name=os-net-config state=latest
    - changed_when: os_net_config_upgrade.rc == 2
      command: os-net-config --no-activate -c /etc/os-net-config/config.yaml -v --detailed-exit-codes
      failed_when: os_net_config_upgrade.rc not in [0,2]
      name: take new os-net-config parameters into account now
      register: os_net_config_upgrade
    when:
    - os_net_config_need_upgrade.stdout
    - stat_config_yaml.stat.exists or stat_config_json.stat.exists
  - name: Update all packages
    vars:
      skip_package_update: false
    when:
    - not skip_package_update|bool
    yum:
      exclude: ansible-core
      name: '*'
      state: latest
  - command: systemctl status openvswitch.service
    ignore_errors: true
    name: Check whether openvswitch exits
    register: ovs_service
  - name: Always ensure the openvswitch service is enabled and running after upgrades
      rhbz#2329821
    service:
      enabled: true
      name: openvswitch
      state: started
    when:
    - ovs_service.stderr != "Unit openvswitch.service could not be found."
  name: Host packages setup step3
  tags: setup_packages
  when: step|int == 3