- include_role: name: tripleo_firewall name: Run firewall role - file: mode: '{{ item.mode }}' path: '{{ item.path }}' setype: '{{ item.setype }}' state: directory name: create persistent directories with_items: - mode: '0750' path: /var/log/containers/collectd setype: container_file_t - mode: '0755' path: /var/lib/container-user-scripts/ setype: container_file_t - include_role: name: tripleo_provision_mcelog name: import provision_mcelog when: false - name: allow logrotate to read inside containers seboolean: name: logrotate_read_inside_containers persistent: true state: true when: - ansible_facts.selinux is defined - ansible_facts.selinux.status == "enabled" - name: get parameters no_log: '{{ hide_sensitive_logs | bool }}' set_fact: cert_content: '' cert_path: /etc/pki/tls/private/overcloud_endpoint.pem chain_content: '' key_content: '' - block: - name: get DeployedSSLCertificatePath attributes register: attr_cert_path stat: path: '{{cert_path}}' - name: set is_haproxy_bootstrap_node fact set_fact: is_haproxy_bootstrap_node={{haproxy_short_bootstrap_node_name | lower == ansible_facts['hostname'] | lower}} when: - haproxy_short_bootstrap_node_name|default(false) - name: get haproxy status register: haproxy_state systemd: name: haproxy - name: get pacemaker status register: pacemaker_state systemd: name: pacemaker - name: get docker status register: docker_state systemd: name: docker - command: '{{ container_cli }} ps -q -f name=''^haproxy(-bundle)?''' name: get container_id register: container_id when: - docker_state.status.ActiveState == 'active' or container_cli == 'podman' - attr_cert_path.stat.exists - attr_cert_path.stat.isdir == False - name: get pcs resource name for haproxy container register: pacemaker_resource shell: 'pcs status resources | sed -n ''s/^.*container.*: \(haproxy.*\) .*/\1/p'' ' when: - bootstrap_node is defined - is_haproxy_bootstrap_node - pacemaker_state.status.ActiveState == 'active' - attr_cert_path.stat.exists - attr_cert_path.stat.isdir - file: path: '{{cert_path}}' state: absent name: remove DeployedSSLCertificatePath if is dir when: attr_cert_path.stat.isdir is defined and attr_cert_path.stat.isdir - copy: content: '{{cert_content}} {{chain_content}} {{key_content}} ' dest: '{{cert_path}}' mode: 288 owner: root name: push certificate content no_log: '{{ hide_sensitive_logs | bool }}' - block: - file: group: haproxy path: '{{cert_path}}' name: set certificate ownership - name: reload haproxy if enabled service: name: haproxy state: reloaded name: BM haproxy non-pacemaker context when: haproxy_state.status.ActiveState == 'active' - command: pcs resource restart "{{pacemaker_resource.stdout}}" name: restart pacemaker resource for haproxy when: - pacemaker_resource is defined - pacemaker_resource.stdout is defined - pacemaker_resource.stdout != '' - block: - failed_when: - container_kill_result.rc != 0 - ("no such container" not in container_kill_result.stderr) - ("container state improper" not in container_kill_result.stderr) name: copy certificate, chgrp, restart haproxy register: container_kill_result shell: "set -e\nif {{ container_cli }} ps -f \"id={{ item }}\" --format \"{{\ \ '{{' }}.Names{{ '}}' }}\" | grep -q \"^haproxy-bundle\"; then\n tar -c\ \ {{ cert_path }} | {{container_cli}} exec -i {{ item }} tar -C / -xv\nelse\n\ \ {{ container_cli }} cp {{ cert_path }} {{ item }}:{{ cert_path }}\nfi\n\ {{ container_cli }} exec --user root {{ item }} chgrp haproxy {{ cert_path\ \ }}\n{{ container_cli }} kill --signal=HUP {{ item }}\n" with_items: '{{ container_id.stdout.split('' '') }}' name: dedicated part for containers when: - container_id is defined - container_id.stdout is defined - container_id.stdout != '' name: manage certificate when: - cert_content is defined - cert_content != '' - file: mode: '{{ item.mode|default(omit) }}' path: '{{ item.path }}' setype: '{{ item.setype }}' state: directory name: create persistent directories with_items: - mode: '0750' path: /var/log/containers/haproxy setype: var_log_t - path: /var/lib/haproxy setype: container_file_t - changed_when: puppet_host_outputs.rc == 2 failed_when: false name: Run puppet on the host to apply IPtables rules no_log: true register: puppet_host_outputs shell: "puppet apply {{ (puppet_debug|bool) | ternary('--debug --verbose', '') }}\ \ --detailed-exitcodes --summarize --color=false \\\n --modulepath '{{ puppet_modulepath\ \ }}' --tags '{{ puppet_tags }}' -e '{{ puppet_execute }}'\n" vars: puppet_debug: false puppet_execute: 'if hiera(''enable_load_balancer'', true) { class {''::tripleo::haproxy'': use_internal_certificates => false, manage_firewall => hiera(''tripleo::firewall::manage_firewall'', true), }}' puppet_modulepath: /etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules puppet_tags: tripleo::firewall::rule - debug: var: puppet_host_outputs.stdout_lines | default([]) | union(puppet_host_outputs.stderr_lines | default([])) failed_when: puppet_host_outputs.rc not in [0, 2] name: 'Debug output for task: Run puppet on the host to apply IPtables rules' when: - not (ansible_check_mode | bool) - puppet_host_outputs.rc is defined - community.general.sefcontext: setype: '{{ item.setype }}' state: present target: '{{ item.path }}(/.*)?' name: create fcontext entry for iscsi with_items: - path: /etc/iscsi setype: container_file_t - path: /etc/target setype: container_file_t - path: /var/lib/iscsi setype: container_file_t - file: path: '{{ item.path }}' setype: '{{ item.setype }}' state: directory name: create persistent directories with_items: - path: /etc/iscsi setype: container_file_t - path: /etc/target setype: container_file_t - path: /var/lib/iscsi setype: container_file_t - name: stat /lib/systemd/system/iscsid.socket register: stat_iscsid_socket stat: path=/lib/systemd/system/iscsid.socket - name: Stop and disable iscsid.socket service service: name=iscsid.socket state=stopped enabled=no when: stat_iscsid_socket.stat.exists - command: systemctl is-enabled --quiet iscsi.service failed_when: false name: Check if iscsi.service is enabled register: iscsi_service_enabled_result - name: Stop iscsi.service service: name=iscsi.service state=stopped enabled=no when: - iscsi_service_enabled_result is changed - iscsi_service_enabled_result.rc == 0 - include_role: name: tripleo_kernel - file: mode: '{{ item.mode|default(omit) }}' path: '{{ item.path }}' setype: '{{ item.setype }}' state: directory name: create persistent logs directory with_items: - mode: '0750' path: /var/log/containers/metrics_qdr setype: container_file_t - path: /var/lib/metrics_qdr setype: container_file_t - file: mode: '{{ item.mode|default(omit) }}' path: '{{ item.path }}' setype: '{{ item.setype }}' state: directory name: create persistent directories with_items: - mode: '0750' path: /var/log/containers/mysql setype: container_file_t - path: /var/lib/mysql setype: container_file_t - mode: '0750' path: /var/log/mariadb setype: container_file_t - file: mode: '{{ item.mode }}' path: '{{ item.path }}' setype: '{{ item.setype }}' state: directory name: create persistent directories with_items: - mode: '0750' path: /var/log/containers/nova setype: container_file_t - name: enable virt_sandbox_use_netlink for healthcheck seboolean: name: virt_sandbox_use_netlink persistent: true state: true when: - ansible_facts.selinux is defined - ansible_facts.selinux.status == "enabled" - file: mode: '{{ item.mode }}' path: '{{ item.path }}' setype: '{{ item.setype }}' state: directory name: create persistent directories with_items: - mode: '0750' path: /var/log/containers/nova setype: container_file_t - mode: '0750' path: /var/log/containers/httpd/nova-metadata setype: container_file_t - group: gid: 107 name: qemu state: present name: ensure qemu group is present on the host - name: ensure qemu user is present on the host user: comment: qemu user group: qemu name: qemu shell: /sbin/nologin state: present uid: 107 - community.general.sefcontext: setype: container_file_t state: present target: /var/lib/rabbitmq(/.*)? name: create fcontext for rabbitmq data - file: mode: '{{ item.mode|default(omit) }}' path: '{{ item.path }}' setype: '{{ item.setype }}' state: directory name: create persistent directories with_items: - path: /var/lib/rabbitmq setype: container_file_t - mode: '0750' path: /var/log/containers/rabbitmq setype: container_file_t - name: stop the Erlang port mapper on the host and make sure it cannot bind to the port used by container shell: 'echo ''export ERL_EPMD_ADDRESS=127.0.0.1'' > /etc/rabbitmq/rabbitmq-env.conf echo ''export ERL_EPMD_PORT=4370'' >> /etc/rabbitmq/rabbitmq-env.conf for pid in $(pgrep epmd --ns 1 --nslist pid); do kill $pid; done ' - name: Make sure python3-novaclient is installed when IHA is enabled package: name: python3-novaclient state: present when: false - ansible.builtin.lineinfile: path: /etc/systemd/logind.conf regexp: ^\s*#?\s*HandlePowerKey\s*=.* state: absent name: Remove existing entries from logind conf - ansible.builtin.lineinfile: line: HandlePowerKey=ignore path: /etc/systemd/logind.conf regexp: ^#?HandlePowerKey name: Make sure systemd-logind ignores power off - ansible.builtin.service: name: systemd-logind state: restarted name: Restart systemd-logind - ansible.builtin.service_facts: null name: Gather service_facts on pacemaker_bootstrap_node when: - '{{(pacemaker_short_bootstrap_node_name|lower == ansible_facts[''hostname'']|lower)|bool}}' - false - become: true name: Check and eventually delete duplicate constraints (bootstrap node) shell: "COUNT=$(cibadmin --query | xmllint --xpath '//rsc_location[@rsc=\"stonith-fence_compute-fence-nova\"\ ]/@id' - |grep -oP '(?<=[\"])[^\"]*' -c)\nif [[ $COUNT > 1 ]]; then\n echo\ \ \"Detected $COUNT duplicate constraints, deleting them\"\n # assemble string\ \ with current list of computes\n GOOD=$(echo location-stonith-fence_compute-fence-nova-$(hiera\ \ pacemaker_remote_short_node_names |grep -oP '\".*?\"' |tr -d '\"'|tr -d '\\\ n' )--10000)\n # delete old constraints\n for i in $(cibadmin --query |\ \ xmllint --xpath '//rsc_location[@rsc=\"stonith-fence_compute-fence-nova\"]/@id'\ \ - |grep -oP '(?<=[\"])[^\"]*' |grep -v $GOOD ); do pcs constraint delete $i\ \ ; done\nelse\n echo \"No duplicate constraint found\"\nfi\n" when: - '{{(pacemaker_short_bootstrap_node_name|lower == ansible_facts[''hostname'']|lower)|bool}}' - false - ansible_facts['services']['pacemaker.service']['state'] == 'running' - block: - name: Set login facts no_log: true set_fact: container_default_pids_limit: 4096 container_events_logger_mechanism: journald container_registry_insecure_registries: [] container_registry_login: false container_registry_logins: {} container_registry_logins_json: {} - name: Convert logins json to dict no_log: true set_fact: container_registry_logins: '{{ container_registry_logins_json | from_json }}' when: - container_registry_logins_json is string - container_registry_login | bool - (container_registry_logins_json | length) > 0 - name: Set registry logins no_log: true set_fact: container_registry_logins: '{{ container_registry_logins_json }}' when: - container_registry_logins_json is mapping - container_registry_login | bool - (container_registry_logins_json | length) > 0 - include_role: name: tripleo_podman tasks_from: tripleo_podman_install.yml name: Run podman install vars: tripleo_container_default_pids_limit: '{{ container_default_pids_limit }}' tripleo_container_events_logger_mechanism: '{{ container_events_logger_mechanism }}' tripleo_container_registry_insecure_registries: '{{ container_registry_insecure_registries }}' - include_role: name: tripleo_podman tasks_from: tripleo_podman_login.yml name: Run podman login vars: tripleo_container_registry_login: '{{ container_registry_login | bool }}' tripleo_container_registry_logins: '{{ container_registry_logins }}' name: Install and configure Podman - copy: content: 'This file makes tripleo_container_manage generate additional systemd dependencies for containers that have special start/stop ordering constraints. It ensures that those constraints are enforced on reboot/shutdown. ' dest: /etc/sysconfig/podman_drop_in name: Configure tripleo_container_manage to generate systemd drop-in dependencies - file: mode: '0750' path: /var/log/containers/rsyslog setype: container_file_t state: directory name: create persistent logs directory for rsyslog - file: path: /var/lib/rsyslog.container setype: container_file_t state: directory name: create persistent state directory for rsyslog - include_role: name: tripleo_sshd vars: tripleo_sshd_banner_enabled: false tripleo_sshd_banner_text: '' tripleo_sshd_message_of_the_day: '' tripleo_sshd_motd_enabled: false tripleo_sshd_password_authentication: 'no' tripleo_sshd_server_options: AcceptEnv: - LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES - LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT - LC_IDENTIFICATION LC_ALL LANGUAGE - XMODIFIERS AuthorizedKeysFile: .ssh/authorized_keys ChallengeResponseAuthentication: 'no' GSSAPIAuthentication: 'no' GSSAPICleanupCredentials: 'no' HostKey: - /etc/ssh/ssh_host_rsa_key - /etc/ssh/ssh_host_ecdsa_key - /etc/ssh/ssh_host_ed25519_key PrintMotd: 'no' Subsystem: sftp /usr/libexec/openssh/sftp-server SyslogFacility: AUTHPRIV UseDNS: 'no' UsePAM: 'yes' X11Forwarding: 'yes' - become: true failed_when: false name: Check for NTP service register: ntp_service_check shell: systemctl is-active ntpd.service || systemctl is-enabled ntpd.service - name: Disable NTP before configuring Chrony service: enabled: false name: ntpd state: stopped when: - ntp_service_check.rc is defined - ntp_service_check.rc == 0 - include_role: name: chrony name: Install, Configure and Run Chrony - command: chronyc makestep name: Force NTP sync - command: chronyc waitsync 30 name: Ensure system is NTP time synced - include_role: name: tripleo_timezone name: Run timezone role vars: tripleo_timezone: UTC - debug: msg: 'CIDRs found in the ctlplane network tags. ' name: Notice - ctlplane subnet is set - include_role: name: tuned