- block:
  - name: set is_cinder_backup_bootstrap_node fact
    set_fact: is_cinder_backup_bootstrap_node={{cinder_backup_short_bootstrap_node_name|lower
      == ansible_facts['hostname']|lower}}
    tags: common
  - name: Check for cinder_backup retag statefile
    register: cinder_backup_retag_state_file
    stat:
      path: /var/lib/tripleo/cinder_backup_needs_retag
  name: Update cinder_backup pcs resource bundle for new container image - check
  when:
  - step|int == 1
- block:
  - name: Disable the cinder_backup cluster resource before container upgrade step1
    pacemaker_resource:
      resource: openstack-cinder-backup
      state: disable
      wait_for_resource: true
    register: output
    retries: 5
    until: output.rc == 0
  - command: pcs resource bundle update openstack-cinder-backup container image={{cinder_backup_image_latest}}
    name: Update the cinder_backup bundle to use the new container image name
  - name: Enable the cinder_backup cluster resource
    pacemaker_resource:
      resource: openstack-cinder-backup
      state: enable
      wait_for_resource: true
    register: output
    retries: 5
    until: output.rc == 0
  name: Update cinder_backup pcs resource bundle for new container image
  when:
  - step|int == 1
  - is_cinder_backup_bootstrap_node
  - cinder_backup_retag_state_file.stat.exists|bool
- block:
  - name: set is_cinder_volume_bootstrap_node fact
    set_fact: is_cinder_volume_bootstrap_node={{cinder_volume_short_bootstrap_node_name|lower
      == ansible_facts['hostname']|lower}}
    tags: common
  - name: Check for cinder_volume retag statefile
    register: cinder_volume_retag_state_file
    stat:
      path: /var/lib/tripleo/cinder_volume_needs_retag
  name: Update cinder_volume pcs resource bundle for new container image
  when:
  - step|int == 1
- block:
  - name: Disable the cinder_volume cluster resource before container upgrade
    pacemaker_resource:
      resource: openstack-cinder-volume
      state: disable
      wait_for_resource: true
    register: output
    retries: 5
    until: output.rc == 0
  - command: pcs resource bundle update openstack-cinder-volume container image={{cinder_volume_image_latest}}
    name: pcs resource bundle update cinder_volume for new container image name
  - name: Enable the cinder_volume cluster resource
    pacemaker_resource:
      resource: openstack-cinder-volume
      state: enable
      wait_for_resource: true
    register: output
    retries: 5
    until: output.rc == 0
  name: Update cinder_volume pcs resource bundle for new container image
  when:
  - step|int == 1
  - is_cinder_volume_bootstrap_node
  - cinder_volume_retag_state_file.stat.exists|bool
- include_role:
    name: tripleo_podman
    tasks_from: tripleo_podman_rsyslog_cleanup
  name: remove rsyslog configuration for podman healthcheck log
- block:
  - name: Set upgrade haproxy facts
    set_fact:
      is_haproxy_bootstrap_node: '{{haproxy_short_bootstrap_node_name|lower == ansible_facts[''hostname'']|lower}}'
  - name: Check for haproxy retag statefile
    register: haproxy_retag_state_file
    stat:
      path: /var/lib/tripleo/haproxy_needs_retag
  name: Update haproxy pcs resource bundle for new container image
  when:
  - step|int == 1
- block:
  - name: Disable the haproxy cluster resource before container upgrade
    pacemaker_resource:
      resource: haproxy-bundle
      state: disable
      wait_for_resource: true
    register: output
    retries: 5
    until: output.rc == 0
  - block:
    - command: cibadmin --query --xpath "//storage-mapping[@id='haproxy-var-lib']"
      failed_when: false
      name: Check haproxy stats socket configuration in pacemaker
      register: haproxy_stats_exposed
    - command: cibadmin --query --xpath "//storage-mapping[@id='haproxy-cert']"
      failed_when: false
      name: Check haproxy public certificate configuration in pacemaker
      register: haproxy_cert_mounted
    - command: pcs resource bundle update haproxy-bundle storage-map add id=haproxy-var-lib
        source-dir=/var/lib/haproxy target-dir=/var/lib/haproxy options=rw
      name: Add a bind mount for stats socket in the haproxy bundle
      when: haproxy_stats_exposed.rc == 6
    - name: Set HAProxy public cert volume mount fact
      set_fact:
        haproxy_public_cert_path: /etc/pki/tls/private/overcloud_endpoint.pem
        haproxy_public_tls_enabled: true
    - command: pcs resource bundle update haproxy-bundle storage-map add id=haproxy-cert
        source-dir={{ haproxy_public_cert_path }} target-dir=/var/lib/kolla/config_files/src-tls/{{
        haproxy_public_cert_path }} options=ro
      name: Add a bind mount for public certificate in the haproxy bundle
      when:
      - haproxy_cert_mounted.rc == 6
      - haproxy_public_tls_enabled|bool
    name: Expose HAProxy stats socket on the host and mount TLS cert if needed
  - command: pcs resource bundle update haproxy-bundle container image={{haproxy_image_latest}}
    name: Update the haproxy bundle to use the new container image name
  - name: Enable the haproxy cluster resource
    pacemaker_resource:
      resource: haproxy-bundle
      state: enable
      wait_for_resource: true
    register: output
    retries: 5
    until: output.rc == 0
  - file:
      path: /var/lib/tripleo/haproxy_needs_retag
      state: absent
    name: Remove haproxy retag statefile
  name: Update haproxy pcs resource bundle for new container image
  when:
  - step|int == 1
  - is_haproxy_bootstrap_node|bool
  - haproxy_retag_state_file.stat.exists|bool
- block:
  - name: set is_manila_share_bootstrap_node fact
    set_fact: is_manila_share_bootstrap_node={{manila_share_short_bootstrap_node_name|lower
      == ansible_facts['hostname']|lower}}
    tags: common
  - name: Check for manila_share retag statefile
    register: manila_share_retag_state_file
    stat:
      path: /var/lib/tripleo/manila_share_needs_retag
  name: Update openstack-manila-share pcs resource bundle for new container image
  when:
  - step|int == 1
- block:
  - name: Disable the manila_share cluster resource before container upgrade
    pacemaker_resource:
      resource: openstack-manila-share
      state: disable
      wait_for_resource: true
    register: output
    retries: 5
    until: output.rc == 0
  - command: pcs resource bundle update openstack-manila-share container image={{manila_share_image_latest}}
    name: pcs resource bundle update manila_share for new container image name
  - name: Enable the manila_share cluster resource
    pacemaker_resource:
      resource: openstack-manila-share
      state: enable
      wait_for_resource: true
    register: output
    retries: 5
    until: output.rc == 0
  name: Update openstack-manila-share pcs resource bundle for new container image
  when:
  - step|int == 1
  - is_manila_share_bootstrap_node
  - manila_share_retag_state_file.stat.exists|bool
- name: set mysql container name fact
  set_fact:
    mysql_container_name: galera-bundle
  when:
  - step|int == 1
- block:
  - command: podman ps -q --filter name={{ mysql_container_name }} --filter status=running
    name: mysql container id
    register: mysql_container_id
  - name: set mysql container id fact
    set_fact:
      mysql_container: '{{ mysql_container_id.stdout }}'
  - block:
    - name: Get the list of all OpenStack DB users
      register: openstack_db_users
      shell: jq -r 'to_entries[] | select(.key|endswith("::db::mysql::user")) | .value'
        /etc/puppet/hieradata/service_configs.json
    - name: List all DB users that match the DB users to be dropped
      register: mysql_db_users
      shell: for u in {{ openstack_db_users.stdout_lines | join(' ') }}; do podman
        exec -u root -it "{{ mysql_container }}" mysql -sNe "select concat('\`',user,'\`@\`',host,'\`')
        from mysql.user where user = '$u' and host != '%';"; done
    - debug:
        msg: '{{ mysql_db_users.stdout_lines }}'
      name: resulting DB users to be dropped
    - loop: '{{ mysql_db_users.stdout_lines }}'
      name: Drop all unneeded Openstack DB users
      shell: podman exec -u root -it "{{ mysql_container }}" mysql -sNe 'drop user
        {{ item }};'
    name: Mysql script to drop unused DB users
    when: ( mysql_container | length ) > 0
  name: Drop unused OpenStack DB users
  when:
  - step|int == 1
  - mysql_short_bootstrap_node_name|lower == ansible_facts['hostname']|lower
- block:
  - name: set is_mysql_bootstrap_node fact
    set_fact: is_mysql_bootstrap_node={{mysql_short_bootstrap_node_name|lower == ansible_facts['hostname']|lower}}
    tags: common
  - name: Check for galera retag statefile
    register: galera_retag_state_file
    stat:
      path: /var/lib/tripleo/galera_needs_retag
  name: Update galera pcs resource bundle for new container image - check
  when:
  - step|int == 1
- block:
  - name: Disable the galera cluster resource before container upgrade
    pacemaker_resource:
      resource: galera-bundle
      state: disable
      wait_for_resource: true
    register: output
    retries: 5
    until: output.rc == 0
  - block:
    - command: cibadmin --query --xpath "//storage-mapping[@id='mysql-log']"
      failed_when: false
      name: Check Mysql logging configuration in pacemaker
      register: mysql_logs_moved
    - block:
      - command: pcs resource bundle update galera-bundle storage-map add id=mysql-log
          source-dir=/var/log/containers/mysql target-dir=/var/log/mysql options=rw
        name: Add a bind mount for logging in the galera bundle
      - command: pcs resource update galera log=/var/log/mysql/mysqld.log
        name: Reconfigure Mysql log file in the galera resource agent
      name: Change Mysql logging configuration in pacemaker
      when: mysql_logs_moved.rc == 6
    name: Move Mysql logging to /var/log/containers
  - command: pcs resource bundle update galera-bundle container image={{galera_image_latest}}
    name: Update the galera bundle to use the new container image name
  - name: Enable the galera cluster resource
    pacemaker_resource:
      resource: galera-bundle
      state: enable
      wait_for_resource: true
    register: output
    retries: 5
    until: output.rc == 0
  name: Update galera pcs resource bundle for new container image
  when:
  - step|int == 1
  - is_mysql_bootstrap_node|bool
  - galera_retag_state_file.stat.exists|bool
- file:
    path: /etc/cron.daily/containers-tmpwatch
    state: absent
  name: Ensure old cron.daily is absent
  when: step|int == 1
- block:
  - name: set is_rpc_rabbitmq_bootstrap_node fact
    set_fact: is_rpc_rabbitmq_bootstrap_node={{oslo_messaging_rpc_short_bootstrap_node_name|lower
      == ansible_facts['hostname']|lower}}
  - name: Check for rabbitmq_rpc retag statefile
    register: rabbitmq_rpc_retag_state_file
    stat:
      path: /var/lib/tripleo/rabbitmq_rpc_needs_retag
  name: Update rabbitmq-bundle pcs resource bundle for new container image
  when:
  - step|int == 1
- block:
  - name: Disable the rabbitmq cluster resource before container upgrade
    pacemaker_resource:
      resource: rabbitmq-bundle
      state: disable
      wait_for_resource: true
    register: output
    retries: 5
    until: output.rc == 0
  - command: cibadmin --query --xpath "//storage-mapping[@id='rabbitmq-log']"
    failed_when: false
    name: Check rabbitmq logging configuration in pacemaker
    register: rabbitmq_logs_moved
  - command: pcs resource bundle update rabbitmq-bundle storage-map add id=rabbitmq-log
      source-dir=/var/log/containers/rabbitmq target-dir=/var/log/rabbitmq options=rw
    name: Add a bind mount for logging in the rabbitmq bundle
    when: rabbitmq_logs_moved.rc == 6
  - command: pcs resource bundle update rabbitmq-bundle container image={{rabbitmq_rpc_image_latest}}
    name: Update the rabbitmq bundle to use the new container image name
  - name: Enable the rabbitmq cluster resource
    pacemaker_resource:
      resource: rabbitmq-bundle
      state: enable
      wait_for_resource: true
    register: output
    retries: 5
    until: output.rc == 0
  name: Update rabbitmq-bundle pcs resource bundle for new container image
  when:
  - step|int == 1
  - is_rpc_rabbitmq_bootstrap_node|bool
  - rabbitmq_rpc_retag_state_file.stat.exists|bool
- block:
  - lineinfile:
      dest: /etc/hosts
      line: '{{ undercloud_hosts_entries | join('''') }}'
      state: present
    name: Make sure the Undercloud hostname is included in /etc/hosts
    when:
    - undercloud_hosts_entries is defined
  name: Configure Podman registry
  when:
  - step|int == 1
- block:
  - name: Set login facts
    no_log: true
    set_fact:
      container_default_pids_limit: 4096
      container_events_logger_mechanism: journald
      container_registry_insecure_registries: []
      container_registry_login: false
      container_registry_logins: {}
      container_registry_logins_json: {}
  - name: Convert logins json to dict
    no_log: true
    set_fact:
      container_registry_logins: '{{ container_registry_logins_json | from_json }}'
    when:
    - container_registry_logins_json is string
    - container_registry_login | bool
    - (container_registry_logins_json | length) > 0
  - name: Set registry logins
    no_log: true
    set_fact:
      container_registry_logins: '{{ container_registry_logins_json }}'
    when:
    - container_registry_logins_json is mapping
    - container_registry_login | bool
    - (container_registry_logins_json | length) > 0
  - include_role:
      name: tripleo_podman
      tasks_from: tripleo_podman_install.yml
    name: Run podman install
    vars:
      tripleo_container_default_pids_limit: '{{ container_default_pids_limit }}'
      tripleo_container_events_logger_mechanism: '{{ container_events_logger_mechanism
        }}'
      tripleo_container_registry_insecure_registries: '{{ container_registry_insecure_registries
        }}'
  - include_role:
      name: tripleo_podman
      tasks_from: tripleo_podman_login.yml
    name: Run podman login
    vars:
      tripleo_container_registry_login: '{{ container_registry_login | bool }}'
      tripleo_container_registry_logins: '{{ container_registry_logins }}'
  name: Run podman install
  tags:
  - system_upgrade
  - system_upgrade_run
  when:
  - step|int == 1
- block:
  - file:
      path: /etc/tmpfiles.d/var-run-redis.conf
      state: absent
    name: Clean old tmpfile configuration
  name: redis_pacemaker_puppet_tmpfile_cleanup
  when: step|int == 1
- block:
  - name: Set upgrade redis facts
    set_fact:
      is_redis_bootstrap_node: '{{redis_short_bootstrap_node_name|lower == ansible_facts[''hostname'']|lower}}'
  - name: Check for redis retag statefile
    register: redis_retag_state_file
    stat:
      path: /var/lib/tripleo/redis_needs_retag
  name: Update redis-bundle pcs resource bundle for new container image
  when:
  - step|int == 1
- block:
  - name: Disable the redis cluster resource before container upgrade
    pacemaker_resource:
      resource: redis-bundle
      state: disable
      wait_for_resource: true
    register: output
    retries: 5
    until: output.rc == 0
  - block:
    - command: cibadmin --query --xpath "//storage-mapping[@id='redis-log' and @source-dir='/var/log/containers/redis']"
      failed_when: false
      name: Check redis logging configuration in pacemaker
      register: redis_logs_moved
    - block:
      - command: pcs resource bundle update redis-bundle storage-map remove redis-log
        name: Remove old bind mount for logging in the redis bundle
      - command: pcs resource bundle update redis-bundle storage-map add id=redis-log
          source-dir=/var/log/containers/redis target-dir=/var/log/redis options=rw
        name: Add a bind mount for logging in the redis bundle
      name: Change redis logging configuration in pacemaker
      when: redis_logs_moved.rc == 6
    name: Move redis logging to /var/log/containers
  - command: pcs resource bundle update redis-bundle container image={{redis_image_latest}}
    name: Update the redis bundle to use the new container image name
  - name: Enable the redis cluster resource
    pacemaker_resource:
      resource: redis-bundle
      state: enable
      wait_for_resource: true
    register: output
    retries: 5
    until: output.rc == 0
  name: Update redis-bundle pcs resource bundle for new container image
  when:
  - step|int == 1
  - is_redis_bootstrap_node|bool
  - redis_retag_state_file.stat.exists|bool
- name: Stop snmp service
  service: name=snmpd state=stopped
  when:
  - step|int == 1
  - snmpd_enabled|bool
- block:
  - failed_when: false
    name: Disable tripleo-iptables.service
    register: systemd_tripleo_iptables
    systemd:
      enabled: false
      name: tripleo-iptables.service
      state: stopped
  - file:
      path: /etc/systemd/system/tripleo-iptables.service
      state: absent
    name: Cleanup tripleo-iptables.services
  - failed_when: false
    name: Disable tripleo-ip6tables.service
    register: systemd_tripleo_ip6tables
    systemd:
      enabled: false
      name: tripleo-ip6tables.service
      state: stopped
  - file:
      path: /etc/systemd/system/tripleo-ip6tables.service
      state: absent
    name: Cleanup tripleo-ip6tables.services
  - name: Reload systemd
    systemd:
      daemon_reload: true
    when:
    - (systemd_tripleo_iptables is changed or systemd_tripleo_ip6tables is changed)
  name: Cleanup tripleo-iptables services
  when:
  - (step | int) == 1
- name: Gather missing facts
  setup:
    gather_subset:
    - '!all'
    - '!min'
    - distribution
  tags:
  - always
- name: Set leapp facts
  set_fact:
    upgrade_leapp_command_options: ''
    upgrade_leapp_debug: false
    upgrade_leapp_devel_skip: ''
    upgrade_leapp_enabled: "{{ _upgradeLeappEnabled | bool and\n   ansible_facts['distribution']\
      \ == 'RedHat' and\n   ansible_facts['distribution_major_version'] is version('8',\
      \ '==') }}"
    upgrade_leapp_post_reboot_delay: 120
    upgrade_leapp_reboot_timeout: 3600
  tags:
  - always
  vars:
    _upgradeLeappEnabled: false