- block: - name: fix grub entries to have name start with GRUB_ replace: path: /etc/default/grub regexp: ^(TRIPLEO_HEAT_TEMPLATE_KERNEL_ARGS)(.*) replace: GRUB_\1\2 - name: fix grub entries in append statement replace: path: /etc/default/grub regexp: (.*){(TRIPLEO_HEAT_TEMPLATE_KERNEL_ARGS)}(.*) replace: \1{GRUB_\2}\3 name: upgrade prepare for leapp to align kernel arg shortcommings in leapp tags: - never - system_upgrade - system_upgrade_prepare when: - step|int == 3 - upgrade_leapp_enabled - block: - include_role: name: tripleo_container_rm name: Remove non-HA cinder-backup container vars: tripleo_container_cli: '{{ container_cli }}' tripleo_containers_to_rm: - cinder_backup name: Tear-down non-HA cinder_backup container when: - step|int == 0 - block: - failed_when: false name: Get cinder_backup image id currently used by pacemaker register: cinder_backup_image_current_res shell: pcs resource config openstack-cinder-backup | grep -Eo 'image=[^ ]+' | awk -F= '{print $2;}' - name: cinder_backup image facts set_fact: cinder_backup_image_current: '{{cinder_backup_image_current_res.stdout}}' cinder_backup_image_latest: cluster.common.tag/cinder-backup:pcmklatest - import_role: name: tripleo_container_tag name: Temporarily tag the current cinder_backup image id with the upgraded image name vars: container_image: '{{cinder_backup_image_current}}' container_image_latest: '{{cinder_backup_image_latest}}' pull_image: false when: - cinder_backup_image_current != '' - cinder_backup_image_current != cinder_backup_image_latest - file: path: /var/lib/tripleo/cinder_backup_needs_retag state: touch name: Create cinder_backup retag statefile when: - cinder_backup_image_current != '' - cinder_backup_image_current != cinder_backup_image_latest name: Prepare switch of cinder_backup image name when: - step|int == 0 - block: - name: set is_cinder_backup_bootstrap_node fact set_fact: is_cinder_backup_bootstrap_node={{cinder_backup_short_bootstrap_node_name|lower == ansible_facts['hostname']|lower}} tags: common - name: Check for cinder_backup retag statefile register: cinder_backup_retag_state_file stat: path: /var/lib/tripleo/cinder_backup_needs_retag name: Update cinder_backup pcs resource bundle for new container image - check when: - step|int == 1 - block: - name: Disable the cinder_backup cluster resource before container upgrade step1 pacemaker_resource: resource: openstack-cinder-backup state: disable wait_for_resource: true register: output retries: 5 until: output.rc == 0 - command: pcs resource bundle update openstack-cinder-backup container image={{cinder_backup_image_latest}} name: Update the cinder_backup bundle to use the new container image name - name: Enable the cinder_backup cluster resource pacemaker_resource: resource: openstack-cinder-backup state: enable wait_for_resource: true register: output retries: 5 until: output.rc == 0 name: Update cinder_backup pcs resource bundle for new container image when: - step|int == 1 - is_cinder_backup_bootstrap_node - cinder_backup_retag_state_file.stat.exists|bool - name: Check for cinder_backup retag statefile register: cinder_backup_retag_state_file stat: path: /var/lib/tripleo/cinder_backup_needs_retag when: - step|int == 3 - block: - name: Disable the cinder_backup cluster resource before container upgrade step3 pacemaker_resource: resource: openstack-cinder-backup state: disable wait_for_resource: true register: output retries: 5 until: output.rc == 0 - block: - block: - become: true name: Get cinder_backup image from pacemaker register: xmllint_pcmk_cinder_backup_image shell: xmllint --xpath "string(//bundle[@id='openstack-cinder-backup']/podman/@image)" /var/lib/pacemaker/cib/cib.xml - name: Get container cinder_backup image set_fact: cinder_backup_image: registry.redhat.io/rhosp-rhel9/openstack-cinder-backup:17.1 cinder_backup_image_latest: cluster.common.tag/cinder-backup:pcmklatest pcmk_cinder_backup_image: '{{xmllint_pcmk_cinder_backup_image.stdout}}' - block: - include_role: name: tripleo_container_tag name: Retag pcmklatest to latest cinder_backup image vars: container_image: '{{cinder_backup_image}}' container_image_latest: '{{cinder_backup_image_latest}}' name: Retag the pacemaker image if containerized - name: Enable the cinder_backup cluster resource pacemaker_resource: resource: openstack-cinder-backup state: enable wait_for_resource: true register: output retries: 5 until: output.rc == 0 - file: path: /var/lib/tripleo/cinder_backup_needs_retag state: absent name: Remove cinder_backup retag statefile name: Retag the pacemaker image for cinder_backup when: - step|int == 3 - cinder_backup_retag_state_file.stat.exists|bool - block: - include_role: name: tripleo_container_rm name: Remove non-HA cinder_volume container vars: tripleo_container_cli: '{{ container_cli }}' tripleo_containers_to_rm: - cinder_volume name: Tear-down non-HA cinder_volume container when: - step|int == 0 - block: - failed_when: false name: Get cinder_volume image id currently used by pacemaker register: cinder_volume_image_current_res shell: pcs resource config openstack-cinder-volume | grep -Eo 'image=[^ ]+' | awk -F= '{print $2;}' - name: cinder_volume image facts set_fact: cinder_volume_image_current: '{{cinder_volume_image_current_res.stdout}}' cinder_volume_image_latest: cluster.common.tag/cinder-volume:pcmklatest - import_role: name: tripleo_container_tag name: Temporarily tag the current cinder_volume image id with the upgraded image name vars: container_image: '{{cinder_volume_image_current}}' container_image_latest: '{{cinder_volume_image_latest}}' pull_image: false when: - cinder_volume_image_current != '' - cinder_volume_image_current != cinder_volume_image_latest - file: path: /var/lib/tripleo/cinder_volume_needs_retag state: touch name: Create cinder_volume retag statefile when: - cinder_volume_image_current != '' - cinder_volume_image_current != cinder_volume_image_latest name: Prepare switch of cinder_volume image name when: - step|int == 0 - block: - name: set is_cinder_volume_bootstrap_node fact set_fact: is_cinder_volume_bootstrap_node={{cinder_volume_short_bootstrap_node_name|lower == ansible_facts['hostname']|lower}} tags: common - name: Check for cinder_volume retag statefile register: cinder_volume_retag_state_file stat: path: /var/lib/tripleo/cinder_volume_needs_retag name: Update cinder_volume pcs resource bundle for new container image when: - step|int == 1 - block: - name: Disable the cinder_volume cluster resource before container upgrade pacemaker_resource: resource: openstack-cinder-volume state: disable wait_for_resource: true register: output retries: 5 until: output.rc == 0 - command: pcs resource bundle update openstack-cinder-volume container image={{cinder_volume_image_latest}} name: pcs resource bundle update cinder_volume for new container image name - name: Enable the cinder_volume cluster resource pacemaker_resource: resource: openstack-cinder-volume state: enable wait_for_resource: true register: output retries: 5 until: output.rc == 0 name: Update cinder_volume pcs resource bundle for new container image when: - step|int == 1 - is_cinder_volume_bootstrap_node - cinder_volume_retag_state_file.stat.exists|bool - name: Check for cinder_volume retag statefile register: cinder_volume_retag_state_file stat: path: /var/lib/tripleo/cinder_volume_needs_retag when: - step|int == 3 - block: - name: Disable the cinder_volume cluster resource before container upgrade pacemaker_resource: resource: openstack-cinder-volume state: disable wait_for_resource: true register: output retries: 5 until: output.rc == 0 - block: - block: - become: true name: Get cinder_volume image from pacemaker register: xmllint_pcmk_cinder_volume_image shell: xmllint --xpath "string(//bundle[@id='openstack-cinder-volume']/podman/@image)" /var/lib/pacemaker/cib/cib.xml - name: Get container cinder_volume image set_fact: cinder_volume_image: registry.redhat.io/rhosp-rhel9/openstack-cinder-volume:17.1 cinder_volume_image_latest: cluster.common.tag/cinder-volume:pcmklatest pcmk_cinder_volume_image: '{{xmllint_pcmk_cinder_volume_image.stdout}}' - block: - include_role: name: tripleo_container_tag name: Retag pcmklatest to latest cinder_volume image vars: container_image: '{{cinder_volume_image}}' container_image_latest: '{{cinder_volume_image_latest}}' name: Retag the pacemaker image if containerized - name: Enable the cinder_volume cluster resource pacemaker_resource: resource: openstack-cinder-volume state: enable wait_for_resource: true register: output retries: 5 until: output.rc == 0 - file: path: /var/lib/tripleo/cinder_volume_needs_retag state: absent name: Remove cinder_volume retag statefile name: Retag pacemaker cinder_volume when: - step|int == 3 - cinder_volume_retag_state_file.stat.exists|bool - block: - mount: fstype: nfs4 path: /var/lib/cinder_image_conversion state: absent name: Unmount cinder's image conversion NFS share vars: image_conversion_nfs_enabled: false image_conversion_nfs_options: _netdev,bg,intr,context=system_u:object_r:container_file_t:s0 image_conversion_nfs_share: '' when: image_conversion_nfs_enabled|bool name: cinder-volume pre system_upgrade tasks tags: - never - system_upgrade - system_upgrade_run - system_upgrade_nfsmounts when: - step|int == 3 - upgrade_leapp_enabled - block: - block: - file: path: /var/lib/cinder_image_conversion state: directory name: Create cinder image conversion directory - mount: fstype: nfs4 opts: '{{ image_conversion_nfs_options }}' path: /var/lib/cinder_image_conversion src: '{{ image_conversion_nfs_share }}' state: mounted name: Mount cinder's image conversion NFS share vars: image_conversion_nfs_options: _netdev,bg,intr,context=system_u:object_r:container_file_t:s0 image_conversion_nfs_share: '' name: Support using an NFS share for cinder image conversion vars: image_conversion_nfs_enabled: false when: - image_conversion_nfs_enabled|bool name: cinder-volume post system_upgrade tasks tags: - never - system_upgrade - system_upgrade_run - system_upgrade_nfsmounts when: - step|int == 5 - upgrade_leapp_enabled - include_role: name: tripleo_podman tasks_from: tripleo_podman_rsyslog_cleanup name: remove rsyslog configuration for podman healthcheck log - containers.podman.podman_image: force: true name: registry.redhat.io/rhosp-rhel9/openstack-collectd:17.1 name: Force pull image collectd tags: - never - system_upgrade - system_upgrade_run when: - step|int == 3 - block: - name: Update collectd to UBI9 tripleo_container_manage: config_dir: /var/lib/tripleo-config/container-startup-config/step_3 config_id: - tripleo_step3 config_overrides: collectd: image: registry.redhat.io/rhosp-rhel9/openstack-collectd:17.1 config_patterns: collectd.json debug: '{{ enable_debug | bool }}' log_base_path: '{{ container_log_stdout_path }}' name: UBI8 to UBI9 switch of collectd tags: - never - system_upgrade - system_upgrade_run when: - step|int == 5 - block: - mount: fstype: nfs name: /var/lib/glance/images state: absent name: Unmount and remove NFS glance entry vars: glance_netapp_nfs_enabled: false nfs_backend_enabled: false when: nfs_backend_enabled or glance_netapp_nfs_enabled - mount: fstype: nfs name: '{{glance_node_staging_uri[7:]}}' state: absent name: Unmount and remove NFS glance-staging entry vars: glance_node_staging_uri: file:///var/lib/glance/staging glance_staging_nfs_share: '' when: glance_staging_nfs_share != '' name: glance-api pre system_upgrade tasks tags: - never - system_upgrade - system_upgrade_run - system_upgrade_nfsmounts when: - step|int == 3 - upgrade_leapp_enabled - block: - mount: fstype: nfs name: /var/lib/glance/images opts: '{{nfs_options}}' src: '{{nfs_share}}' state: mounted name: Mount NFS on host vars: glance_netapp_nfs_enabled: false glance_nfs_share: '' netapp_share_location: '' nfs_backend_enabled: false nfs_options: _netdev,bg,intr,context=system_u:object_r:container_file_t:s0 nfs_share: '{{ glance_nfs_share if (glance_nfs_share) else netapp_share_location }}' when: nfs_backend_enabled or glance_netapp_nfs_enabled - mount: fstype: nfs name: '{{glance_node_staging_uri[7:]}}' opts: '{{glance_nfs_options}}' src: '{{glance_staging_nfs_share}}' state: mounted name: Mount Node Staging Location vars: glance_nfs_options: _netdev,bg,intr,context=system_u:object_r:container_file_t:s0 glance_node_staging_uri: file:///var/lib/glance/staging glance_staging_nfs_share: '' when: glance_staging_nfs_share != '' name: glance-api post system_upgrade tasks tags: - never - system_upgrade - system_upgrade_run - system_upgrade_nfsmounts when: - step|int == 5 - upgrade_leapp_enabled - block: - include_role: name: tripleo_container_rm name: Remove non-HA haproxy container vars: tripleo_container_cli: '{{ container_cli }}' tripleo_containers_to_rm: - haproxy name: Tear-down non-HA haproxy container when: - step|int == 0 - block: - failed_when: false name: Get haproxy image id currently used by pacemaker register: haproxy_image_current_res shell: pcs resource config haproxy-bundle | grep -Eo 'image=[^ ]+' | awk -F= '{print $2;}' - name: Image facts for haproxy set_fact: haproxy_image_current: '{{haproxy_image_current_res.stdout}}' haproxy_image_latest: cluster.common.tag/haproxy:pcmklatest - import_role: name: tripleo_container_tag name: Temporarily tag the current haproxy image id with the upgraded image name vars: container_image: '{{haproxy_image_current}}' container_image_latest: '{{haproxy_image_latest}}' pull_image: false when: - haproxy_image_current != '' - haproxy_image_current != haproxy_image_latest - file: path: /var/lib/tripleo/haproxy_needs_retag state: touch name: Create haproxy retag statefile when: - haproxy_image_current != '' - haproxy_image_current != haproxy_image_latest name: Prepare switch of haproxy image name when: - step|int == 0 - block: - name: Set upgrade haproxy facts set_fact: is_haproxy_bootstrap_node: '{{haproxy_short_bootstrap_node_name|lower == ansible_facts[''hostname'']|lower}}' - name: Check for haproxy retag statefile register: haproxy_retag_state_file stat: path: /var/lib/tripleo/haproxy_needs_retag name: Update haproxy pcs resource bundle for new container image when: - step|int == 1 - block: - name: Disable the haproxy cluster resource before container upgrade pacemaker_resource: resource: haproxy-bundle state: disable wait_for_resource: true register: output retries: 5 until: output.rc == 0 - block: - command: cibadmin --query --xpath "//storage-mapping[@id='haproxy-var-lib']" failed_when: false name: Check haproxy stats socket configuration in pacemaker register: haproxy_stats_exposed - command: cibadmin --query --xpath "//storage-mapping[@id='haproxy-cert']" failed_when: false name: Check haproxy public certificate configuration in pacemaker register: haproxy_cert_mounted - command: pcs resource bundle update haproxy-bundle storage-map add id=haproxy-var-lib source-dir=/var/lib/haproxy target-dir=/var/lib/haproxy options=rw name: Add a bind mount for stats socket in the haproxy bundle when: haproxy_stats_exposed.rc == 6 - name: Set HAProxy public cert volume mount fact set_fact: haproxy_public_cert_path: /etc/pki/tls/private/overcloud_endpoint.pem haproxy_public_tls_enabled: true - command: pcs resource bundle update haproxy-bundle storage-map add id=haproxy-cert source-dir={{ haproxy_public_cert_path }} target-dir=/var/lib/kolla/config_files/src-tls/{{ haproxy_public_cert_path }} options=ro name: Add a bind mount for public certificate in the haproxy bundle when: - haproxy_cert_mounted.rc == 6 - haproxy_public_tls_enabled|bool name: Expose HAProxy stats socket on the host and mount TLS cert if needed - command: pcs resource bundle update haproxy-bundle container image={{haproxy_image_latest}} name: Update the haproxy bundle to use the new container image name - name: Enable the haproxy cluster resource pacemaker_resource: resource: haproxy-bundle state: enable wait_for_resource: true register: output retries: 5 until: output.rc == 0 - file: path: /var/lib/tripleo/haproxy_needs_retag state: absent name: Remove haproxy retag statefile name: Update haproxy pcs resource bundle for new container image when: - step|int == 1 - is_haproxy_bootstrap_node|bool - haproxy_retag_state_file.stat.exists|bool - block: - block: - become: true name: Get haproxy image from pacemaker register: xmllint_pcmk_haproxy_image shell: xmllint --xpath "string(//bundle[@id='haproxy-bundle']/podman/@image)" /var/lib/pacemaker/cib/cib.xml - name: Get container haproxy image set_fact: haproxy_image: registry.redhat.io/rhosp-rhel9/openstack-haproxy:17.1 haproxy_image_latest: cluster.common.tag/haproxy:pcmklatest pcmk_haproxy_image: '{{xmllint_pcmk_haproxy_image.stdout}}' - block: - include_role: name: tripleo_container_tag name: Retag pcmklatest to latest haproxy image vars: container_image: '{{haproxy_image}}' container_image_latest: '{{haproxy_image_latest}}' - name: Ensure config works for the new config shell: 'set -o pipefail awk -i inplace -v INPLACE_SUFFIX=.bak ''/ rsprep/ {print " http-response replace-header Location " $3" "$5; next;}; {print} '' /var/lib/config-data/puppet-generated/haproxy/etc/haproxy/haproxy.cfg' name: Retag the pacemaker image if containerized when: - step|int == 3 - block: - file: mode: 1023 path: /var/tmp setype: tmp_t state: directory name: Reset selinux label on /var/tmp name: Anchor for upgrade and update tasks when: step|int == 0 - block: - failed_when: false name: Get manila_share image id currently used by pacemaker register: manila_share_image_current_res shell: pcs resource config openstack-manila-share | grep -Eo 'image=[^ ]+' | awk -F= '{print $2;}' - name: manila_share image facts set_fact: manila_share_image_current: '{{manila_share_image_current_res.stdout}}' manila_share_image_latest: cluster.common.tag/manila-share:pcmklatest - import_role: name: tripleo_container_tag name: Temporarily tag the current manila_share image id with the upgraded image name vars: container_image: '{{manila_share_image_current}}' container_image_latest: '{{manila_share_image_latest}}' pull_image: false when: - manila_share_image_current != '' - manila_share_image_current != manila_share_image_latest - file: path: /var/lib/tripleo/manila_share_needs_retag state: touch name: Create manila_share retag statefile when: - manila_share_image_current != '' - manila_share_image_current != manila_share_image_latest name: Prepare switch of manila_share image name when: - step|int == 0 - block: - name: set is_manila_share_bootstrap_node fact set_fact: is_manila_share_bootstrap_node={{manila_share_short_bootstrap_node_name|lower == ansible_facts['hostname']|lower}} tags: common - name: Check for manila_share retag statefile register: manila_share_retag_state_file stat: path: /var/lib/tripleo/manila_share_needs_retag name: Update openstack-manila-share pcs resource bundle for new container image when: - step|int == 1 - block: - name: Disable the manila_share cluster resource before container upgrade pacemaker_resource: resource: openstack-manila-share state: disable wait_for_resource: true register: output retries: 5 until: output.rc == 0 - command: pcs resource bundle update openstack-manila-share container image={{manila_share_image_latest}} name: pcs resource bundle update manila_share for new container image name - name: Enable the manila_share cluster resource pacemaker_resource: resource: openstack-manila-share state: enable wait_for_resource: true register: output retries: 5 until: output.rc == 0 name: Update openstack-manila-share pcs resource bundle for new container image when: - step|int == 1 - is_manila_share_bootstrap_node - manila_share_retag_state_file.stat.exists|bool - name: Check for manila_share retag statefile register: manila_share_retag_state_file stat: path: /var/lib/tripleo/manila_share_needs_retag when: - step|int == 3 - block: - name: Disable the manila_share cluster resource before container upgrade pacemaker_resource: resource: openstack-manila-share state: disable wait_for_resource: true register: output retries: 5 until: output.rc == 0 - block: - block: - become: true name: Get manila_share image from pacemaker register: xmllint_pcmk_manila_share_image shell: xmllint --xpath "string(//bundle[@id='openstack-manila-share']/podman/@image)" /var/lib/pacemaker/cib/cib.xml - name: Get container manila_share image set_fact: manila_share_image: registry.redhat.io/rhosp-rhel9/openstack-manila-share:17.1 manila_share_image_latest: cluster.common.tag/manila-share:pcmklatest pcmk_manila_share_image: '{{xmllint_pcmk_manila_share_image.stdout}}' - block: - include_role: name: tripleo_container_tag name: Retag pcmklatest to latest manila_share image vars: container_image: '{{manila_share_image}}' container_image_latest: '{{manila_share_image_latest}}' name: Retag the pacemaker image if containerized - name: Enable the manila_share cluster resource pacemaker_resource: resource: openstack-manila-share state: enable wait_for_resource: true register: output retries: 5 until: output.rc == 0 - file: path: /var/lib/tripleo/manila_share_needs_retag state: absent name: Remove manila_share retag statefile name: Retag openstack-manila-share container image when: - step|int == 3 - block: - changed_when: false command: podman container exists mysql failed_when: false name: stat mysql container register: stat_mysql_container - changed_when: true command: argv: '{{ mysql_exec_data | container_exec_cmd }}' name: Create clustercheck user and permissions vars: mysql_exec_data: command: - mysql - /bin/sh - -c - mysql -e "CREATE USER IF NOT EXISTS 'clustercheck'@'localhost' IDENTIFIED BY '${CLUSTERCHECK_PASSWORD}'; GRANT PROCESS ON *.* TO 'clustercheck'@'localhost' WITH GRANT OPTION;" environment: CLUSTERCHECK_PASSWORD: Zx168jeh3U8PrH2bvkjORV2bD when: - stat_mysql_container.rc == 0 - include_role: name: tripleo_container_rm name: Remove non-HA mysql container vars: tripleo_container_cli: '{{ container_cli }}' tripleo_containers_to_rm: - mysql name: Tear-down non-HA mysql container when: - step|int == 0 - name: set mysql container name fact set_fact: mysql_container_name: galera-bundle when: - step|int == 1 - block: - command: podman ps -q --filter name={{ mysql_container_name }} --filter status=running name: mysql container id register: mysql_container_id - name: set mysql container id fact set_fact: mysql_container: '{{ mysql_container_id.stdout }}' - block: - name: Get the list of all OpenStack DB users register: openstack_db_users shell: jq -r 'to_entries[] | select(.key|endswith("::db::mysql::user")) | .value' /etc/puppet/hieradata/service_configs.json - name: List all DB users that match the DB users to be dropped register: mysql_db_users shell: for u in {{ openstack_db_users.stdout_lines | join(' ') }}; do podman exec -u root -it "{{ mysql_container }}" mysql -sNe "select concat('\`',user,'\`@\`',host,'\`') from mysql.user where user = '$u' and host != '%';"; done - debug: msg: '{{ mysql_db_users.stdout_lines }}' name: resulting DB users to be dropped - loop: '{{ mysql_db_users.stdout_lines }}' name: Drop all unneeded Openstack DB users shell: podman exec -u root -it "{{ mysql_container }}" mysql -sNe 'drop user {{ item }};' name: Mysql script to drop unused DB users when: ( mysql_container | length ) > 0 name: Drop unused OpenStack DB users when: - step|int == 1 - mysql_short_bootstrap_node_name|lower == ansible_facts['hostname']|lower - block: - include_role: name: tripleo_persist tasks_from: persist.yml name: Persist mysql data vars: tripleo_persist_dir: /var/lib/mysql tags: - never - system_upgrade - system_upgrade_prepare vars: mysql_upgrade_persist: false when: - step|int == 3 - mysql_upgrade_persist - block: - include_role: name: tripleo_persist tasks_from: restore.yml name: Restore mysql data vars: tripleo_persist_dir: /var/lib/mysql tags: - never - system_upgrade - system_upgrade_run vars: mysql_upgrade_persist: false when: - step|int == 5 - mysql_upgrade_persist - block: - failed_when: false name: Get galera image id currently used by pacemaker register: galera_image_current_res shell: pcs resource config galera-bundle | grep -Eo 'image=[^ ]+' | awk -F= '{print $2;}' - name: Image facts for galera set_fact: galera_image_current: '{{galera_image_current_res.stdout}}' galera_image_latest: cluster.common.tag/mariadb:pcmklatest - import_role: name: tripleo_container_tag name: Temporarily tag the current galera image id with the upgraded image name vars: container_image: '{{galera_image_current}}' container_image_latest: '{{galera_image_latest}}' pull_image: false when: - galera_image_current != '' - galera_image_current != galera_image_latest - file: path: /var/lib/tripleo/galera_needs_retag state: touch name: Create galera retag statefile when: - galera_image_current != '' - galera_image_current != galera_image_latest name: Prepare switch of galera image name when: - step|int == 0 - block: - name: set is_mysql_bootstrap_node fact set_fact: is_mysql_bootstrap_node={{mysql_short_bootstrap_node_name|lower == ansible_facts['hostname']|lower}} tags: common - name: Check for galera retag statefile register: galera_retag_state_file stat: path: /var/lib/tripleo/galera_needs_retag name: Update galera pcs resource bundle for new container image - check when: - step|int == 1 - block: - name: Disable the galera cluster resource before container upgrade pacemaker_resource: resource: galera-bundle state: disable wait_for_resource: true register: output retries: 5 until: output.rc == 0 - block: - command: cibadmin --query --xpath "//storage-mapping[@id='mysql-log']" failed_when: false name: Check Mysql logging configuration in pacemaker register: mysql_logs_moved - block: - command: pcs resource bundle update galera-bundle storage-map add id=mysql-log source-dir=/var/log/containers/mysql target-dir=/var/log/mysql options=rw name: Add a bind mount for logging in the galera bundle - command: pcs resource update galera log=/var/log/mysql/mysqld.log name: Reconfigure Mysql log file in the galera resource agent name: Change Mysql logging configuration in pacemaker when: mysql_logs_moved.rc == 6 name: Move Mysql logging to /var/log/containers - command: pcs resource bundle update galera-bundle container image={{galera_image_latest}} name: Update the galera bundle to use the new container image name - name: Enable the galera cluster resource pacemaker_resource: resource: galera-bundle state: enable wait_for_resource: true register: output retries: 5 until: output.rc == 0 name: Update galera pcs resource bundle for new container image when: - step|int == 1 - is_mysql_bootstrap_node|bool - galera_retag_state_file.stat.exists|bool - block: - name: Bind mounts for temporary container set_fact: mysql_upgrade_db_bind_mounts: - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro - /etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro - /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro - /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro - /etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro - /dev/log:/dev/log - /etc/ipa/ca.crt:/etc/ipa/ca.crt:ro - /etc/puppet:/etc/puppet:ro - /var/lib/kolla/config_files/mysql.json:/var/lib/kolla/config_files/config.json:rw,z - /var/lib/config-data/puppet-generated/mysql:/var/lib/kolla/config_files/src:ro,z - /var/lib/mysql:/var/lib/mysql:rw,z - /var/log/containers/mysql:/var/log/mysql:rw,z - /etc/pki/tls/certs/mysql.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/mysql.crt:ro - /etc/pki/tls/private/mysql.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/mysql.key:ro - environment: UPGRADE_SCRIPT: "kolla_set_configs\nupgraded_ver=$(cat /var/lib/mysql/mysql_upgrade_info\ \ 2>/dev/null || true)\nmysql_ver=$(mysql --version | awk -F'[ ,]*' '{print\ \ $5}')\nif [ \"${upgraded_ver}\" = \"${mysql_ver}\" ]; then\n echo \"\ mysql already upgraded\"\nelse\n echo \"${upgraded_ver} VS ${mysql_ver}\"\ \nfi\n" name: Check if Galera needs upgrade register: mysql_upgrade_needed shell: '{{ container_cli }} run --rm --log-driver=k8s-file --log-opt path=/var/log/containers/mysql/db-upgrade.log \ -u root --net=host -e "KOLLA_CONFIG_STRATEGY=COPY_ALWAYS" -v {{ mysql_upgrade_db_bind_mounts | join('' -v '')}} "cluster.common.tag/mariadb:pcmklatest" /bin/bash -ecx "$UPGRADE_SCRIPT"' - name: Set fact upgrade_mysql set_fact: upgrade_mysql: '{{ (mysql_upgrade_needed.stdout != "mysql already upgraded") | bool }}' - debug: msg: 'MYSQL check - {{ mysql_upgrade_needed.stdout }} - Upgrade needed: {{ upgrade_mysql }}' - name: Disable the galera cluster resource before container upgrade pacemaker_resource: resource: galera-bundle state: disable wait_for_resource: true register: output retries: 5 until: output.rc == 0 when: - upgrade_mysql|bool - block: - become: true name: Get galera image from pacemaker register: xmllint_pcmk_galera_image shell: xmllint --xpath "string(//bundle[@id='galera-bundle']/podman/@image)" /var/lib/pacemaker/cib/cib.xml - name: Get container galera image set_fact: galera_image: registry.redhat.io/rhosp-rhel9/openstack-mariadb:17.1 galera_image_latest: cluster.common.tag/mariadb:pcmklatest pcmk_galera_image: '{{xmllint_pcmk_galera_image.stdout}}' - name: Check for galera retag statefile register: galera_retag_state_file stat: path: /var/lib/tripleo/galera_needs_retag - block: - include_role: name: tripleo_container_tag name: Retag pcmklatest to latest galera image vars: container_image: '{{galera_image}}' container_image_latest: '{{galera_image_latest}}' name: Retag the pacemaker image if containerized when: - galera_retag_state_file.stat.exists|bool - file: path: /var/lib/tripleo/galera_needs_retag state: absent name: Remove galera retag statefile - name: Mysql upgrade script set_fact: mysql_upgrade_script: "kolla_set_configs\nif mysqladmin ping --silent; then\ \ exit 0; fi\nupgraded_ver=$(cat /var/lib/mysql/mysql_upgrade_info 2>/dev/null\ \ || true)\nmysql_ver=$(mysql --version | awk -F'[ ,]*' '{print $5}')\nif\ \ [ \"${upgraded_ver}\" = \"${mysql_ver}\" ]; then\n echo \"mysql already\ \ upgraded\"\n exit 0\nfi\nchown -R mysql:mysql /var/lib/mysql\nchown -R\ \ mysql:mysql /var/log/mysql\nmysqld_safe --user=mysql --wsrep-provider=none\ \ --skip-networking --wsrep-on=off --log-error=/var/log/mysql/mysqld-upgrade.log\ \ &\n\n#!/usr/bin/bash\n\nset -e\n\n# Wait until we know the mysql server\ \ is up and responding\ntimeout ${DB_MAX_TIMEOUT:-60} /bin/bash -c 'until\ \ mysqladmin -uroot ping 2>/dev/null; do sleep 1; done'\n\n# After an upgrade,\ \ make sure that the running mysql had a chance to\n# update its data table\ \ on disk.\nmysql_upgrade\n\n# Upgrade to 10.3: the default table row format\ \ changed from COMPACT\n# to DYNAMIC, so upgrade the existing tables.\ncompact_tables=$(mysql\ \ -se 'SELECT CONCAT(\"`\",TABLE_SCHEMA,\"`.`\",TABLE_NAME,\"`\") FROM information_schema.tables\ \ WHERE ENGINE = \"InnoDB\" and ROW_FORMAT = \"Compact\";');\nfor i in $compact_tables;\ \ do echo converting row format of table $i; mysql -e \"ALTER TABLE $i ROW_FORMAT=DYNAMIC;\"\ ; done;\n\nmysqladmin shutdown" when: - upgrade_mysql|bool - environment: UPGRADE_SCRIPT: '{{ mysql_upgrade_script }}' name: Upgrade Mysql database from a temporary container shell: '{{ container_cli }} run --rm --log-driver=k8s-file --log-opt path=/var/log/containers/mysql/db-upgrade.log \ -u root --net=host -e "KOLLA_CONFIG_STRATEGY=COPY_ALWAYS" -v {{ mysql_upgrade_db_bind_mounts | join('' -v '')}} "cluster.common.tag/mariadb:pcmklatest" /bin/bash -ecx "$UPGRADE_SCRIPT"' when: - upgrade_mysql|bool - name: Enable the galera cluster resource pacemaker_resource: resource: galera-bundle state: enable wait_for_resource: true register: output retries: 5 until: output.rc == 0 when: - upgrade_mysql|bool name: Upgrade galera in step3 when: - step|int == 3 - file: path: /etc/cron.daily/containers-tmpwatch state: absent name: Ensure old cron.daily is absent when: step|int == 1 - name: Fetch running ovn_controller image register: running_ovn_image shell: 'set -e podman inspect --format "{{''{{''}}.ImageName{{''}}''}}" ovn_controller ' tags: - ovn - ovn_image when: - step|int == 4 - block: - containers.podman.podman_image: force: true name: registry.redhat.io/rhosp-rhel9/openstack-ovn-controller:17.1 validate_certs: false name: Force pull image in case image name doesn't change. tags: - ovn - ovn_image when: step|int == 4 - name: Update OVN OVS related parameters before update. shell: 'set -e ovs-vsctl set Open_vSwitch . external_ids:ovn-ofctrl-wait-before-clear={{ timeout }} ovs-vsctl set Open_vSwitch . external_ids:ovn-monitor-all=true ovs-vsctl set Open_vSwitch . external_ids:ovn-match-northd-version=false ' tags: - ovn vars: timeout: 8000 when: - step|int == 4 - find: paths: /var/lib/tripleo-config/container-startup-config/ patterns: '*ovn_controller.json' recurse: true name: Find ovn_controller configs in container-startup-configs register: ovn_cont_17_0 tags: - ovn when: - step|int == 4 - name: get directory path from the ovn_cont_17_0 set_fact: ovn_config_path: '{{ ovn_cont_17_0.files.0.path | dirname }}' tags: ovn when: step|int == 4 - name: Get PIDfile used by systemd on each ovn node register: pidfile shell: 'set -e grep PID /etc/systemd/system/tripleo_ovn_controller.service | cut -d= -f2 ' tags: - ovn when: - step|int == 4 - name: Update ovn_controller. tags: ovn tripleo_container_manage: config_dir: '{{ ovn_config_path }}' config_id: - tripleo_step{{config_step}} config_overrides: .*ovn_controller: conmon_pidfile: '{{ pidfile.stdout }}' image: registry.redhat.io/rhosp-rhel9/openstack-ovn-controller:17.1 name: ovn_controller config_patterns: '*ovn_controller.json' debug: '{{ enable_debug | bool }}' log_base_path: '{{ container_log_stdout_path }}' vars: config_step: '{{ (''step_4'' in ovn_config_path) | ternary(''4'', ''3'')}}' when: step|int == 4 - name: Pause for 30s to give ovn_controllers time to reconnect to dbs tags: ovn wait_for: timeout: 30 when: - step|int == 4 name: Run ovn_controller upgrade tags: - ovn - ovn_image vars: ovn_controller_image: registry.redhat.io/rhosp-rhel9/openstack-ovn-controller:17.1 when: - step|int == 4 - running_ovn_image.stdout != ovn_controller_image - become: true name: Ensure redis is removed shell: "if crm_resource -r redis-bundle -q &>/dev/null; then\n pcs resource delete\ \ redis-bundle || true\n pcs resource delete ip-$(hiera redis_vip) || true\n\ fi\n" when: - step|int == 5 - '"redis" not in enabled_services|list' - '{{ (pacemaker_short_bootstrap_node_name|lower == ansible_facts[''hostname'']|lower)|bool}}' - become: true name: Clean up cluster node cache shell: 'pcs cluster node clear redis-bundle-0 pcs cluster node clear redis-bundle-1 pcs cluster node clear redis-bundle-2 crm_attribute --name redis_REPL_INFO --delete ' when: - step|int == 5 - '"redis" not in enabled_services|list' - '{{ (pacemaker_short_bootstrap_node_name|lower == ansible_facts[''hostname'']|lower)|bool}}' - become: true loop: '{{ pacemaker_short_node_names }}' name: Clean up redis attribute shell: 'pcs node attribute "{{ item }}" redis-role= || true ' when: - step|int == 5 - '"redis" not in enabled_services|list' - '{{ (pacemaker_short_bootstrap_node_name|lower == ansible_facts[''hostname'']|lower)|bool}}' - block: - include_role: name: tripleo_container_rm name: Remove non-HA rabbitmq container vars: tripleo_container_cli: '{{ container_cli }}' tripleo_containers_to_rm: - rabbitmq name: Tear-down non-HA rabbitmq container when: - step|int == 0 - block: - failed_when: false name: Get rabbitmq image id currently used by pacemaker register: rabbitmq_rpc_image_current_res shell: pcs resource config rabbitmq-bundle | grep -Eo 'image=[^ ]+' | awk -F= '{print $2;}' - name: Image facts for rabbitmq set_fact: rabbitmq_rpc_image_current: '{{rabbitmq_rpc_image_current_res.stdout}}' rabbitmq_rpc_image_latest: cluster.common.tag/rabbitmq:pcmklatest - import_role: name: tripleo_container_tag name: Temporarily tag the current rabbitmq image id with the upgraded image name vars: container_image: '{{rabbitmq_rpc_image_current}}' container_image_latest: '{{rabbitmq_rpc_image_latest}}' pull_image: false when: - rabbitmq_rpc_image_current != '' - rabbitmq_rpc_image_current != rabbitmq_rpc_image_latest - file: path: /var/lib/tripleo/rabbitmq_rpc_needs_retag state: touch name: Create rabbitmq_rpc retag statefile when: - rabbitmq_rpc_image_current != '' - rabbitmq_rpc_image_current != rabbitmq_rpc_image_latest name: Prepare switch of rabbitmq image name when: - step|int == 0 - block: - name: set is_rpc_rabbitmq_bootstrap_node fact set_fact: is_rpc_rabbitmq_bootstrap_node={{oslo_messaging_rpc_short_bootstrap_node_name|lower == ansible_facts['hostname']|lower}} - name: Check for rabbitmq_rpc retag statefile register: rabbitmq_rpc_retag_state_file stat: path: /var/lib/tripleo/rabbitmq_rpc_needs_retag name: Update rabbitmq-bundle pcs resource bundle for new container image when: - step|int == 1 - block: - name: Disable the rabbitmq cluster resource before container upgrade pacemaker_resource: resource: rabbitmq-bundle state: disable wait_for_resource: true register: output retries: 5 until: output.rc == 0 - command: cibadmin --query --xpath "//storage-mapping[@id='rabbitmq-log']" failed_when: false name: Check rabbitmq logging configuration in pacemaker register: rabbitmq_logs_moved - command: pcs resource bundle update rabbitmq-bundle storage-map add id=rabbitmq-log source-dir=/var/log/containers/rabbitmq target-dir=/var/log/rabbitmq options=rw name: Add a bind mount for logging in the rabbitmq bundle when: rabbitmq_logs_moved.rc == 6 - command: pcs resource bundle update rabbitmq-bundle container image={{rabbitmq_rpc_image_latest}} name: Update the rabbitmq bundle to use the new container image name - name: Enable the rabbitmq cluster resource pacemaker_resource: resource: rabbitmq-bundle state: enable wait_for_resource: true register: output retries: 5 until: output.rc == 0 name: Update rabbitmq-bundle pcs resource bundle for new container image when: - step|int == 1 - is_rpc_rabbitmq_bootstrap_node|bool - rabbitmq_rpc_retag_state_file.stat.exists|bool - name: Check for rabbitmq_rpc retag statefile register: rabbitmq_rpc_retag_state_file stat: path: /var/lib/tripleo/rabbitmq_rpc_needs_retag when: - step|int == 3 - block: - name: Disable the rabbitmq cluster resource before container upgrade pacemaker_resource: resource: rabbitmq-bundle state: disable wait_for_resource: true register: output retries: 5 until: output.rc == 0 - block: - block: - become: true name: Get rabbitmq image from pacemaker register: xmllint_pcmk_rabbitmq_rpc_image shell: xmllint --xpath "string(//bundle[@id='rabbitmq-bundle']/podman/@image)" /var/lib/pacemaker/cib/cib.xml - name: Get container rabbitmq image set_fact: pcmk_rabbitmq_rpc_image: '{{xmllint_pcmk_rabbitmq_rpc_image.stdout}}' rabbitmq_rpc_image: registry.redhat.io/rhosp-rhel9/openstack-rabbitmq:17.1 rabbitmq_rpc_image_latest: cluster.common.tag/rabbitmq:pcmklatest - block: - include_role: name: tripleo_container_tag name: Retag pcmklatest to latest rabbitmq image vars: container_image: '{{rabbitmq_rpc_image}}' container_image_latest: '{{rabbitmq_rpc_image_latest}}' name: Retag the pacemaker image if containerized - name: Enable the rabbitmq cluster resource pacemaker_resource: resource: rabbitmq-bundle state: enable wait_for_resource: true register: output retries: 5 until: output.rc == 0 - file: path: /var/lib/tripleo/rabbitmq_rpc_needs_retag state: absent name: Remove rabbitmq_rpc retag statefile name: Retag rabbitmq-bundle container image when: - step|int == 3 - rabbitmq_rpc_retag_state_file.stat.exists|bool - block: - lineinfile: dest: /etc/hosts line: '{{ undercloud_hosts_entries | join('''') }}' state: present name: Make sure the Undercloud hostname is included in /etc/hosts when: - undercloud_hosts_entries is defined name: Configure Podman registry when: - step|int == 1 - block: - name: Set login facts no_log: true set_fact: container_default_pids_limit: 4096 container_events_logger_mechanism: journald container_registry_insecure_registries: [] container_registry_login: false container_registry_logins: {} container_registry_logins_json: {} - name: Convert logins json to dict no_log: true set_fact: container_registry_logins: '{{ container_registry_logins_json | from_json }}' when: - container_registry_logins_json is string - container_registry_login | bool - (container_registry_logins_json | length) > 0 - name: Set registry logins no_log: true set_fact: container_registry_logins: '{{ container_registry_logins_json }}' when: - container_registry_logins_json is mapping - container_registry_login | bool - (container_registry_logins_json | length) > 0 - include_role: name: tripleo_podman tasks_from: tripleo_podman_install.yml name: Run podman install vars: tripleo_container_default_pids_limit: '{{ container_default_pids_limit }}' tripleo_container_events_logger_mechanism: '{{ container_events_logger_mechanism }}' tripleo_container_registry_insecure_registries: '{{ container_registry_insecure_registries }}' - include_role: name: tripleo_podman tasks_from: tripleo_podman_login.yml name: Run podman login vars: tripleo_container_registry_login: '{{ container_registry_login | bool }}' tripleo_container_registry_logins: '{{ container_registry_logins }}' name: Run podman install tags: - system_upgrade - system_upgrade_run when: - step|int == 1 - block: - file: path: /etc/tmpfiles.d/var-run-redis.conf state: absent name: Clean old tmpfile configuration name: redis_pacemaker_puppet_tmpfile_cleanup when: step|int == 1 - block: - include_role: name: tripleo_container_rm name: Remove non-HA redis container vars: tripleo_container_cli: '{{ container_cli }}' tripleo_containers_to_rm: - redis name: Tear-down non-HA redis container when: - step|int == 0 - block: - failed_when: false name: Get redis image id currently used by pacemaker register: redis_image_current_res shell: pcs resource config redis-bundle | grep -Eo 'image=[^ ]+' | awk -F= '{print $2;}' - name: Image facts for redis set_fact: redis_image_current: '{{redis_image_current_res.stdout}}' redis_image_latest: cluster.common.tag/redis:pcmklatest - import_role: name: tripleo_container_tag name: Temporarily tag the current redis image id with the upgraded image name vars: container_image: '{{redis_image_current}}' container_image_latest: '{{redis_image_latest}}' pull_image: false when: - redis_image_current != '' - redis_image_current != redis_image_latest - file: path: /var/lib/tripleo/redis_needs_retag state: touch name: Create redis retag statefile when: - redis_image_current != '' - redis_image_current != redis_image_latest name: Prepare switch of redis image name when: - step|int == 0 - block: - name: Set upgrade redis facts set_fact: is_redis_bootstrap_node: '{{redis_short_bootstrap_node_name|lower == ansible_facts[''hostname'']|lower}}' - name: Check for redis retag statefile register: redis_retag_state_file stat: path: /var/lib/tripleo/redis_needs_retag name: Update redis-bundle pcs resource bundle for new container image when: - step|int == 1 - block: - name: Disable the redis cluster resource before container upgrade pacemaker_resource: resource: redis-bundle state: disable wait_for_resource: true register: output retries: 5 until: output.rc == 0 - block: - command: cibadmin --query --xpath "//storage-mapping[@id='redis-log' and @source-dir='/var/log/containers/redis']" failed_when: false name: Check redis logging configuration in pacemaker register: redis_logs_moved - block: - command: pcs resource bundle update redis-bundle storage-map remove redis-log name: Remove old bind mount for logging in the redis bundle - command: pcs resource bundle update redis-bundle storage-map add id=redis-log source-dir=/var/log/containers/redis target-dir=/var/log/redis options=rw name: Add a bind mount for logging in the redis bundle name: Change redis logging configuration in pacemaker when: redis_logs_moved.rc == 6 name: Move redis logging to /var/log/containers - command: pcs resource bundle update redis-bundle container image={{redis_image_latest}} name: Update the redis bundle to use the new container image name - name: Enable the redis cluster resource pacemaker_resource: resource: redis-bundle state: enable wait_for_resource: true register: output retries: 5 until: output.rc == 0 name: Update redis-bundle pcs resource bundle for new container image when: - step|int == 1 - is_redis_bootstrap_node|bool - redis_retag_state_file.stat.exists|bool - name: Check for redis retag statefile register: redis_retag_state_file stat: path: /var/lib/tripleo/redis_needs_retag when: - step|int == 3 - block: - name: Disable the redis cluster resource before container upgrade pacemaker_resource: resource: redis-bundle state: disable wait_for_resource: true register: output retries: 5 until: output.rc == 0 - block: - block: - become: true name: Get redis image from pacemaker register: xmllint_pcmk_redis_image shell: xmllint --xpath "string(//bundle[@id='redis-bundle']/podman/@image)" /var/lib/pacemaker/cib/cib.xml - name: Get container redis image set_fact: pcmk_redis_image: '{{xmllint_pcmk_redis_image.stdout}}' redis_image: registry.redhat.io/rhosp-rhel9/openstack-redis:17.1 redis_image_latest: cluster.common.tag/redis:pcmklatest - block: - include_role: name: tripleo_container_tag name: Retag pcmklatest to latest redis image vars: container_image: '{{redis_image}}' container_image_latest: '{{redis_image_latest}}' name: Retag the pacemaker image if containerized - name: Enable the redis-bundle cluster resource pacemaker_resource: resource: redis-bundle state: enable wait_for_resource: true register: output retries: 5 until: output.rc == 0 - file: path: /var/lib/tripleo/redis_needs_retag state: absent name: Remove redis retag statefile name: Retag redis-bundle container image when: - step|int == 3 - redis_retag_state_file.stat.exists|bool - block: - command: systemctl is-enabled --quiet snmpd failed_when: false name: Check if snmpd is enabled register: snmpd_enabled_result - name: Set fact snmpd_enabled set_fact: snmpd_enabled: '{{ snmpd_enabled_result.rc == 0 }}' when: step|int == 0 - name: Stop snmp service service: name=snmpd state=stopped when: - step|int == 1 - snmpd_enabled|bool - block: - failed_when: false name: Disable tripleo-iptables.service register: systemd_tripleo_iptables systemd: enabled: false name: tripleo-iptables.service state: stopped - file: path: /etc/systemd/system/tripleo-iptables.service state: absent name: Cleanup tripleo-iptables.services - failed_when: false name: Disable tripleo-ip6tables.service register: systemd_tripleo_ip6tables systemd: enabled: false name: tripleo-ip6tables.service state: stopped - file: path: /etc/systemd/system/tripleo-ip6tables.service state: absent name: Cleanup tripleo-ip6tables.services - name: Reload systemd systemd: daemon_reload: true when: - (systemd_tripleo_iptables is changed or systemd_tripleo_ip6tables is changed) name: Cleanup tripleo-iptables services when: - (step | int) == 1 - block: - args: creates: /etc/sysconfig/ip6tables.n-o-upgrade name: blank ipv6 rule before activating ipv6 firewall. shell: cat /etc/sysconfig/ip6tables > /etc/sysconfig/ip6tables.n-o-upgrade; cat/etc/sysconfig/ip6tables - name: cleanup unmanaged rules pushed by iptables-services shell: "iptables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null\ \ && \\\n iptables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n\ iptables -C INPUT -p icmp -j ACCEPT &>/dev/null && \\\n iptables -D INPUT -p\ \ icmp -j ACCEPT\niptables -C INPUT -i lo -j ACCEPT &>/dev/null && \\\n iptables\ \ -D INPUT -i lo -j ACCEPT\niptables -C INPUT -p tcp -m state --state NEW -m\ \ tcp --dport 22 -j ACCEPT &>/dev/null && \\\n iptables -D INPUT -p tcp -m\ \ state --state NEW -m tcp --dport 22 -j ACCEPT\niptables -C INPUT -j REJECT\ \ --reject-with icmp-host-prohibited &>/dev/null && \\\n iptables -D INPUT\ \ -j REJECT --reject-with icmp-host-prohibited\niptables -C FORWARD -j REJECT\ \ --reject-with icmp-host-prohibited &>/dev/null && \\\n iptables -D FORWARD\ \ -j REJECT --reject-with icmp-host-prohibited\n\nsed -i '/^-A INPUT -m state\ \ --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/iptables\nsed -i\ \ '/^-A INPUT -p icmp -j ACCEPT$/d' /etc/sysconfig/iptables\nsed -i '/^-A INPUT\ \ -i lo -j ACCEPT$/d' /etc/sysconfig/iptables\nsed -i '/^-A INPUT -p tcp -m\ \ state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/iptables\n\ sed -i '/^-A INPUT -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables\n\ sed -i '/^-A FORWARD -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables\n\ \nip6tables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null\ \ && \\\n ip6tables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n\ ip6tables -C INPUT -p ipv6-icmp -j ACCEPT &>/dev/null && \\\n ip6tables -D\ \ INPUT -p ipv6-icmp -j ACCEPT\nip6tables -C INPUT -i lo -j ACCEPT &>/dev/null\ \ && \\\n ip6tables -D INPUT -i lo -j ACCEPT\nip6tables -C INPUT -p tcp -m\ \ state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \\\n ip6tables\ \ -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT\nip6tables\ \ -C INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT\ \ &>/dev/null && \\\n ip6tables -D INPUT -d fe80::/64 -p udp -m udp --dport\ \ 546 -m state --state NEW -j ACCEPT\nip6tables -C INPUT -j REJECT --reject-with\ \ icmp6-adm-prohibited &>/dev/null && \\\n ip6tables -D INPUT -j REJECT --reject-with\ \ icmp6-adm-prohibited\nip6tables -C FORWARD -j REJECT --reject-with icmp6-adm-prohibited\ \ &>/dev/null && \\\n ip6tables -D FORWARD -j REJECT --reject-with icmp6-adm-prohibited\n\ \nsed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/ip6tables\n\ sed -i '/^-A INPUT -p ipv6-icmp -j ACCEPT$/d' /etc/sysconfig/ip6tables\nsed\ \ -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/ip6tables\nsed -i '/^-A\ \ INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/ip6tables\n\ sed -i '/^-A INPUT -d fe80::\\/64 -p udp -m udp --dport 546 -m state --state\ \ NEW -j ACCEPT$/d' /etc/sysconfig/ip6tables\nsed -i '/^-A INPUT -j REJECT --reject-with\ \ icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables\nsed -i '/^-A FORWARD -j\ \ REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables" when: - (step | int) == 3 - name: Gather missing facts setup: gather_subset: - '!all' - '!min' - distribution tags: - always - name: Set leapp facts set_fact: upgrade_leapp_command_options: '' upgrade_leapp_debug: false upgrade_leapp_devel_skip: '' upgrade_leapp_enabled: "{{ _upgradeLeappEnabled | bool and\n ansible_facts['distribution']\ \ == 'RedHat' and\n ansible_facts['distribution_major_version'] is version('8',\ \ '==') }}" upgrade_leapp_post_reboot_delay: 120 upgrade_leapp_reboot_timeout: 3600 tags: - always vars: _upgradeLeappEnabled: false - block: - name: Run LeappRepoInitCommand shell: '#!/bin/bash ' - name: Remove firewalld bindings package: name: python3-firewall state: absent - name: install leapp package: name: leapp-repository-openstack state: latest - name: Run LeappInitCommand shell: '#!/bin/bash ' - name: Remove vdo package: name: vdo state: absent - lineinfile: line: '{{ item }}' path: /etc/leapp/transaction/to_remove loop: '{{ pkg_to_remove }}' name: add packages into Leapp's to_remove file vars: pkg_to_remove: [] - lineinfile: line: '{{ item }}' path: /etc/leapp/transaction/to_install loop: '{{ pkg_to_install }}' name: add packages into Leapp's to_install file vars: pkg_to_install: [] - name: check sshd_config file register: sshd_config_result stat: path: /etc/ssh/sshd_config - lineinfile: line: PermitRootLogin without-password path: /etc/ssh/sshd_config regexp: ^(# *)?PermitRootLogin name: add PermitRootLogin option for leapp - name: Remove paunch-services package: name: paunch-services state: absent - import_role: name: tripleo_container_manage tasks_from: shutdown.yml name: tripleo_container_manage reconfiguration name: system_upgrade_prepare step 3 tags: - never - system_upgrade - system_upgrade_prepare when: - step|int == 3 - upgrade_leapp_enabled - block: - loop: '{{ modules_to_unload }}' name: Delete the kernel modules in Leapp database (device_driver_deprecation_data.json) shell: 'set -o pipefail && jq ''. | del(.data[] | select(.driver_name == "{{ item }}"))'' /etc/leapp/files/device_driver_deprecation_data.json > /etc/leapp/files/device_driver_deprecation_data.json_modified && mv /etc/leapp/files/device_driver_deprecation_data.json_modified /etc/leapp/files/device_driver_deprecation_data.json ' vars: modules_to_unload: [] - command: cmd: find /usr/share/leapp-repository/repositories/ -name {{ item }} -type d -print -exec rm -rf "{}" + loop: '{{ actors_to_remove }}' name: Remove leapp actors to prevent them inhibiting the upgrade vars: actors_to_remove: [] - name: set leapp required answers shell: 'leapp answer --add --section check_vdo.confirm=True ' - import_role: name: tripleo_kernel tasks_from: efigrub.yml name: Replace EFI grub.cfg with redirect to /boot/grub2/grub.cfg - loop: '{{ nics_prefixes_to_keep|list }}' name: Keep nics with prefix in NICsPrefixesToUdev from renaming shell: "ip -j link show | \\ jq -r --arg prefix \"{{ item }}\" '.[] |\n select((.ifname\ \ | startswith($prefix)) and\n (.ifname | test(\"^.*v[0-9]*$\") | not) and\n\ \ (.ifname | test(\"^.*_[0-9]*$\") | not) and\n (.ifname | test(\"^.*\\\\\ ..*$\") | not)) |\n if .permaddr? then .address=.permaddr else . end |\n \"\ SUBSYSTEM==\\\"net\\\",ACTION==\\\"add\\\",DRIVERS==\\\"?*\\\",\" + \"NAME=\\\ \"\" + .ifname +\"\\\" ,ATTR{address}==\\\"\" + .address + \"\\\"\"' >> /etc/udev/rules.d/70-rhosp-persistent-net.rules\n" vars: nics_prefixes_to_keep: [] - name: run leapp upgrade (download packages) shell: '{% if upgrade_leapp_devel_skip|default(false) %}{{ upgrade_leapp_devel_skip }}{% endif %} leapp upgrade {% if upgrade_leapp_debug|default(true) %}--debug{% endif %} {% if upgrade_leapp_command_options|default(false) %}{{ upgrade_leapp_command_options }}{% endif %} ' when: upgrade_leapp_enabled name: system_upgrade_prepare step 4 tags: - never - system_upgrade - system_upgrade_prepare when: - step|int == 4 - upgrade_leapp_enabled - block: - name: Run LeappPreRebootCommand shell: '#!/bin/bash ' - name: Check that nova_libvirt is running register: is_virtlogd_image_running shell: 'podman ps --filter name=^nova_virtlogd$ --format "{% raw %}{{ .Image }}{% endraw %}" ' - file: path: /etc/systemd/system/{{ item }} state: absent name: Remove systemd files to disable them when: is_virtlogd_image_running.stdout != '' with_items: - tripleo_nova_libvirt.service - tripleo_nova_virtlogd_wrapper.service - tripleo_nova_libvirt.target - name: reboot to perform the upgrade reboot: post_reboot_delay: '{{ upgrade_leapp_post_reboot_delay }}' reboot_timeout: '{{upgrade_leapp_reboot_timeout}}' test_command: source /etc/os-release; [ "${VERSION_ID%.*}" -ge "8" ] && systemctl is-system-running | grep -qE "running|degraded" || exit 1 - name: Set selinux back to enforcing after leapp reboot selinux: policy: targeted state: enforcing - name: Run LeappPostRebootCommand shell: '#!/bin/bash ' name: system_upgrade_run step 4 tags: - never - system_upgrade - system_upgrade_run - system_upgrade_reboot when: - step|int == 4 - upgrade_leapp_enabled - '''Undercloud'' not in group_names' - block: - block: - name: Run UpgradeInitCommand shell: '#!/bin/bash if [[ -f /etc/resolv.conf.save ]] ; then rm /etc/resolv.conf.save; fi ' - name: Run UpgradeInitCommonCommand shell: '#!/bin/bash ' - dnf: name: '@{{ item.module }}:{{ item.stream }}/{{ item.profile|default(''common'') }}' state: present loop: '{{ dnf_module_list|list }}' name: Ensure DNF modules have the right stream vars: dnf_module_list: [] when: - dnf_module_list|length > 0 - item.distribution_version is defined - ansible_facts['distribution_major_version'] is version(item.distribution_version, '==') - name: Ensure TripleO prerequisite packages are installed package: name: - jq - lvm2 - openstack-selinux - os-net-config - puppet-tripleo - python3-heat-agent* - rsync state: present when: ansible_facts['distribution_major_version'] is version('8', '==') - name: Ensure TripleO prerequisite packages are installed and use role based heat variable to provide specific list of packages package: name: '{{ base_tripleo_packages }}' state: present vars: base_tripleo_packages: [] when: - ansible_facts['distribution_major_version'] is version('8', '==') - base_tripleo_packages|length > 0 - name: WA for 2240185 - If the image is schema 1 and lacks signatures than add empty signatures shell: "for manifest_file in `find /var/lib/containers/storage/overlay-images/\ \ -name 'manifest'`\ndo\n cat <<< $( jq 'if .schemaVersion == 1 then if\ \ has(\"signatures\") then . else .signatures=[] end else . end' $manifest_file\ \ ) > $manifest_file\ndone\n" when: ansible_facts['distribution_major_version'] is version('8', '==') name: Package and repo update tasks - check_mode: false command: /usr/bin/rpm -q libvirt-daemon failed_when: false name: check if libvirt is installed register: libvirt_installed - loop: - libvirtd.service - virtlogd.socket name: make sure libvirt services are disabled and masked service: daemon_reload: true enabled: false masked: true name: '{{ item }}' state: stopped when: - libvirt_installed.rc == 0 name: Host packages setup step0 tags: setup_packages when: step|int == 0 - block: - name: Special treatment for OpenvSwitch register: ovs_upgrade tripleo_ovs_upgrade: null - name: Always ensure the openvswitch service is enabled and running after upgrades service: enabled: true name: openvswitch state: started when: - ovs_upgrade.changed|bool name: Host packages setup step2 tags: setup_packages when: step|int == 2 - block: - name: Check for os-net-config upgrade register: os_net_config_need_upgrade shell: yum check-upgrade | awk '/os-net-config/{print}' - name: Check that os-net-config has legacy configuration register: stat_config_json stat: get_attributes: false get_checksum: false get_mime: false path: /etc/os-net-config/config.json - name: Check that os-net-config has new configuration register: stat_config_yaml stat: get_attributes: false get_checksum: false get_mime: false path: /etc/os-net-config/config.yaml - name: Slurp the os-net-config config.json register: os_config_json slurp: src: /etc/os-net-config/config.json when: - stat_config_json.stat.exists - not stat_config_yaml.stat.exists - copy: content: '{{ os_config_json.content | b64decode | from_json | to_yaml }}' dest: /etc/os-net-config/config.yaml name: Write updated /etc/os-net-config/config.yaml when: - stat_config_json.stat.exists - not stat_config_yaml.stat.exists - command: mv /etc/os-net-config/config.json /etc/os-net-config/deprecated_config.json name: Remove legacy os-net-config configuration when: - stat_config_json.stat.exists - block: - name: Upgrade os-net-config package: name=os-net-config state=latest - changed_when: os_net_config_upgrade.rc == 2 command: os-net-config --no-activate -c /etc/os-net-config/config.yaml -v --detailed-exit-codes failed_when: os_net_config_upgrade.rc not in [0,2] name: take new os-net-config parameters into account now register: os_net_config_upgrade when: - os_net_config_need_upgrade.stdout - stat_config_yaml.stat.exists or stat_config_json.stat.exists - name: Update all packages vars: skip_package_update: false when: - not skip_package_update|bool yum: exclude: ansible-core name: '*' state: latest - command: systemctl status openvswitch.service ignore_errors: true name: Check whether openvswitch exits register: ovs_service - name: Always ensure the openvswitch service is enabled and running after upgrades rhbz#2329821 service: enabled: true name: openvswitch state: started when: - ovs_service.stderr != "Unit openvswitch.service could not be found." name: Host packages setup step3 tags: setup_packages when: step|int == 3