- block: - include_role: name: tripleo_container_rm name: Remove non-HA cinder-backup container vars: tripleo_container_cli: '{{ container_cli }}' tripleo_containers_to_rm: - cinder_backup name: Tear-down non-HA cinder-backup container when: - step|int == 1 - block: - include_role: name: tripleo_container_rm name: Remove non-HA cinder_volume container vars: tripleo_container_cli: '{{ container_cli }}' tripleo_containers_to_rm: - cinder_volume name: Tear-down non-HA cinder_volume container when: - step|int == 1 - include_role: name: tripleo_podman tasks_from: tripleo_podman_rsyslog_cleanup name: remove rsyslog configuration for podman healthcheck log - block: - include_role: name: tripleo_container_rm name: Remove non-HA haproxy container vars: tripleo_container_cli: '{{ container_cli }}' tripleo_containers_to_rm: - haproxy name: Tear-down non-HA haproxy container when: - step|int == 1 - block: - name: set is_haproxy_bootstrap_node fact set_fact: is_haproxy_bootstrap_node={{haproxy_short_bootstrap_node_name|lower == ansible_facts['hostname']|lower}} tags: common when: - haproxy_short_bootstrap_node_name|default(false) name: Set HAProxy upgrade facts when: - step|int == 1 - block: - command: cibadmin --query --xpath "//storage-mapping[@id='haproxy-cert']" failed_when: false name: Check haproxy public certificate configuration in pacemaker register: haproxy_cert_mounted - name: Disable the haproxy cluster resource pacemaker_resource: resource: haproxy-bundle state: disable wait_for_resource: true register: output retries: 5 until: output.rc == 0 when: haproxy_cert_mounted.rc == 6 - name: Set HAProxy public cert volume mount fact set_fact: haproxy_public_cert_path: /etc/pki/tls/private/overcloud_endpoint.pem haproxy_public_tls_enabled: true - command: pcs resource bundle update haproxy-bundle storage-map add id=haproxy-cert source-dir={{ haproxy_public_cert_path }} target-dir=/var/lib/kolla/config_files/src-tls/{{ haproxy_public_cert_path }} options=ro name: Add a bind mount for public certificate in the haproxy bundle when: haproxy_cert_mounted.rc == 6 and haproxy_public_tls_enabled|bool - name: Enable the haproxy cluster resource pacemaker_resource: resource: haproxy-bundle state: enable wait_for_resource: true register: output retries: 5 until: output.rc == 0 when: haproxy_cert_mounted.rc == 6 name: Mount TLS cert if needed when: - step|int == 1 - is_haproxy_bootstrap_node - name: Move virtual IPs to another node before stopping pacemaker shell: "CLUSTER_NODE=$(crm_node -n)\necho \"Retrieving all the VIPs which are hosted\ \ on this node\"\nVIPS_TO_MOVE=$(crm_mon --as-xml | xmllint --xpath '//resource[@resource_agent=\"\ ocf:heartbeat:IPaddr2\" and @role = \"Started\" and @managed = \"true\" and ./node[@name\ \ = \"'${CLUSTER_NODE}'\"]]/@id' - | sed -e 's/id=//g' -e 's/\"//g')\nfor v in\ \ ${VIPS_TO_MOVE}; do\n echo \"Moving VIP $v on another node\"\n pcs resource\ \ ban $v ${CLUSTER_NODE} --wait=300\ndone\necho \"Removing the location constraints\ \ that were created to move the VIPs\"\nfor v in ${VIPS_TO_MOVE}; do\n echo\ \ \"Removing location ban for VIP $v\"\n ban_id=$(cibadmin --query | xmllint\ \ --xpath 'string(//rsc_location[@rsc=\"'${v}'\" and @node=\"'${CLUSTER_NODE}'\"\ \ and @score=\"-INFINITY\"]/@id)' -)\n if [ -n \"$ban_id\" ]; then\n \ \ pcs constraint remove ${ban_id}\n else\n echo \"Could not retrieve\ \ and clear location constraint for VIP $v\" 2>&1\n fi\ndone\n" when: - step|int == 1 - hostvars[inventory_hostname]["haproxy_node_names"]|default([])|length > 1 - name: Wait for 10s to settle connections on new VIPs wait_for: timeout: 10 when: - step|int == 1 - hostvars[inventory_hostname]["haproxy_node_names"]|default([])|length > 1 - name: Block local INPUT SYN packets on the backends except mysql shell: "# server controller-0.storage.redhat.local 172.17.3.93:8080 check fall 5\ \ inter 2000 rise 2\n# server controller-0.internalapi.redhat.local fd00:fd00:fd00:2000::176:9292\ \ check fall 5 inter 2000 rise 2\nset -o pipefail\nsource /etc/os-release; test\ \ \"${VERSION_ID%*}\" = \"9.0\" && exit 0\ngrep {{ ansible_facts[\"hostname\"\ ]|lower }} /var/lib/config-data/puppet-generated/haproxy/etc/haproxy/haproxy.cfg\ \ | grep -v \":3306 \" | \\\nawk '{print $3}' | \\\nwhile read BACKEND; do\n\ \ IP=${BACKEND%:*}\n PORT=${BACKEND#\"$IP:\"}\n if [[ $IP =~ .*:.* ]]\n\ \ then PROTOCOL=\"ip6\"\n else PROTOCOL=\"ip\"\n fi\necho \"insert\ \ rule $PROTOCOL filter INPUT $PROTOCOL daddr $IP tcp dport $PORT tcp flags syn\ \ / fin,syn,rst,ack meta time\"\ndone | xargs -i nft {} $(date +%s)-$(date -d'+20\ \ minutes' +%s) counter drop comment \"{{ ansible_facts[\"hostname\"]|lower }}_haproxy_drop\"\ \n" tags: haproxy_syn_block when: - step|int == 1 - name: Generate block for other nodes OUTPUT SYN packets on the backends except mysql register: haproxy_iptables_block shell: "set -o pipefail\nsource /etc/os-release; test \"${VERSION_ID%*}\" = \"\ 9.0\" && exit 0\ngrep {{ ansible_facts[\"hostname\"]|lower }} /var/lib/config-data/puppet-generated/haproxy/etc/haproxy/haproxy.cfg\ \ | grep -v \":3306 \" | \\\nawk '{print $3}' | \\\nwhile read BACKEND; do\n\ \ IP=${BACKEND%:*}\n PORT=${BACKEND#\"$IP:\"}\n if [[ $IP =~ .*:.* ]]\n\ \ then PROTOCOL=\"ip6\"\n else PROTOCOL=\"ip\"\n fi\n echo \"nft\ \ insert rule $PROTOCOL \\$TABLE OUTPUT $PROTOCOL daddr $IP tcp dport $PORT tcp\ \ flags syn / fin,syn,rst,ack meta time $(date +%s)-$(date -d'+20 minutes' +%s)\ \ counter drop comment \\\"{{ ansible_facts[\"hostname\"]|lower }}_haproxy_drop\\\ \" \"\ndone\n" tags: haproxy_syn_block when: - step|int == 1 - delegate_to: '{{ item }}' loop: '{{ groups["haproxy"] | difference(groups["excluded_overcloud"]) | difference(ansible_facts["hostname"]|lower) }}' name: Block OUTPUT SYN packets to this node on other haproxy nodes shell: "set -o pipefail\ngrep {{ ansible_facts[\"hostname\"]|lower }} /var/lib/config-data/puppet-generated/haproxy/etc/haproxy/haproxy.cfg\ \ | head -n 1 \\\nawk '{print $3}' | while read BACKEND; do\n IP=${BACKEND%:*}\n\ \ if [[ $IP =~ .*:.* ]]\n then PROTOCOL=\"ip6\"\n else PROTOCOL=\"\ ip\"\n fi\ndone\nTABLE=$(nft list tables | grep -q \"$PROTOCOL raw\" && echo\ \ raw || echo filter )\necho \"{{ haproxy_iptables_block.stdout}}\" | while read\ \ i; do bash -c \"$i\"; done\n" tags: haproxy_syn_block when: - step|int == 1 - block: - changed_when: false command: podman container exists mysql failed_when: false name: stat mysql container register: stat_mysql_container - changed_when: true command: argv: '{{ mysql_exec_data | container_exec_cmd }}' name: Create clustercheck user and permissions vars: mysql_exec_data: command: - mysql - /bin/sh - -c - mysql -e "CREATE USER IF NOT EXISTS 'clustercheck'@'localhost' IDENTIFIED BY '${CLUSTERCHECK_PASSWORD}'; GRANT PROCESS ON *.* TO 'clustercheck'@'localhost' WITH GRANT OPTION;" environment: CLUSTERCHECK_PASSWORD: Zx168jeh3U8PrH2bvkjORV2bD when: - stat_mysql_container.rc == 0 - include_role: name: tripleo_container_rm name: Remove non-HA mysql container vars: tripleo_container_cli: '{{ container_cli }}' tripleo_containers_to_rm: - mysql name: Tear-down non-HA mysql container when: - step|int == 1 - file: path: /etc/cron.daily/containers-tmpwatch state: absent name: Ensure old cron.daily is absent when: step|int == 1 - command: systemd-cat -t ha-shutdown /var/lib/container-config-scripts/pacemaker_mutex_shutdown.sh --acquire name: Acquire the cluster shutdown lock to stop pacemaker cluster when: step|int == 1 - name: Stop pacemaker cluster pacemaker_cluster: state=offline when: step|int == 1 - block: - include_role: name: tripleo_container_rm name: Remove non-HA rabbitmq container vars: tripleo_container_cli: '{{ container_cli }}' tripleo_containers_to_rm: - rabbitmq name: Tear-down non-HA rabbitmq container when: - step|int == 1 - block: - file: path: /etc/tmpfiles.d/var-run-redis.conf state: absent name: Clean old tmpfile configuration name: redis_pacemaker_puppet_tmpfile_cleanup when: step|int == 1 - block: - include_role: name: tripleo_container_rm name: Remove non-HA redis container vars: tripleo_container_cli: '{{ container_cli }}' tripleo_containers_to_rm: - redis name: Tear-down non-HA redis container when: - step|int == 1 - name: Check swift containers log folder/symlink exists register: swift_log_link stat: path: /var/log/containers/swift - file: path: /var/log/containers/swift state: absent name: Delete if symlink when: swift_log_link.stat.islnk is defined and swift_log_link.stat.islnk - block: - failed_when: false name: Disable tripleo-iptables.service register: systemd_tripleo_iptables systemd: enabled: false name: tripleo-iptables.service state: stopped - file: path: /etc/systemd/system/tripleo-iptables.service state: absent name: Cleanup tripleo-iptables.services - failed_when: false name: Disable tripleo-ip6tables.service register: systemd_tripleo_ip6tables systemd: enabled: false name: tripleo-ip6tables.service state: stopped - file: path: /etc/systemd/system/tripleo-ip6tables.service state: absent name: Cleanup tripleo-ip6tables.services - name: Reload systemd systemd: daemon_reload: true when: - (systemd_tripleo_iptables is changed or systemd_tripleo_ip6tables is changed) name: Cleanup tripleo-iptables services when: - (step | int) == 1