- include_role:
    name: tripleo_podman
    tasks_from: tripleo_podman_rsyslog_cleanup
  name: remove rsyslog configuration for podman healthcheck log
- block:
  - name: Set upgrade haproxy facts
    set_fact:
      is_haproxy_bootstrap_node: '{{haproxy_short_bootstrap_node_name|lower == ansible_facts[''hostname'']|lower}}'
  - name: Check for haproxy retag statefile
    register: haproxy_retag_state_file
    stat:
      path: /var/lib/tripleo/haproxy_needs_retag
  name: Update haproxy pcs resource bundle for new container image
  when:
  - step|int == 1
- block:
  - name: Disable the haproxy cluster resource before container upgrade
    pacemaker_resource:
      resource: haproxy-bundle
      state: disable
      wait_for_resource: true
    register: output
    retries: 5
    until: output.rc == 0
  - block:
    - command: cibadmin --query --xpath "//storage-mapping[@id='haproxy-var-lib']"
      failed_when: false
      name: Check haproxy stats socket configuration in pacemaker
      register: haproxy_stats_exposed
    - command: cibadmin --query --xpath "//storage-mapping[@id='haproxy-cert']"
      failed_when: false
      name: Check haproxy public certificate configuration in pacemaker
      register: haproxy_cert_mounted
    - command: pcs resource bundle update haproxy-bundle storage-map add id=haproxy-var-lib
        source-dir=/var/lib/haproxy target-dir=/var/lib/haproxy options=rw
      name: Add a bind mount for stats socket in the haproxy bundle
      when: haproxy_stats_exposed.rc == 6
    - name: Set HAProxy public cert volume mount fact
      set_fact:
        haproxy_public_cert_path: /etc/pki/tls/private/overcloud_endpoint.pem
        haproxy_public_tls_enabled: false
    - command: pcs resource bundle update haproxy-bundle storage-map add id=haproxy-cert
        source-dir={{ haproxy_public_cert_path }} target-dir=/var/lib/kolla/config_files/src-tls/{{
        haproxy_public_cert_path }} options=ro
      name: Add a bind mount for public certificate in the haproxy bundle
      when:
      - haproxy_cert_mounted.rc == 6
      - haproxy_public_tls_enabled|bool
    name: Expose HAProxy stats socket on the host and mount TLS cert if needed
  - command: pcs resource bundle update haproxy-bundle container image={{haproxy_image_latest}}
    name: Update the haproxy bundle to use the new container image name
  - name: Enable the haproxy cluster resource
    pacemaker_resource:
      resource: haproxy-bundle
      state: enable
      wait_for_resource: true
    register: output
    retries: 5
    until: output.rc == 0
  - file:
      path: /var/lib/tripleo/haproxy_needs_retag
      state: absent
    name: Remove haproxy retag statefile
  name: Update haproxy pcs resource bundle for new container image
  when:
  - step|int == 1
  - is_haproxy_bootstrap_node|bool
  - haproxy_retag_state_file.stat.exists|bool
- name: set mysql container name fact
  set_fact:
    mysql_container_name: galera-bundle
  when:
  - step|int == 1
- block:
  - command: podman ps -q --filter name={{ mysql_container_name }} --filter status=running
    name: mysql container id
    register: mysql_container_id
  - name: set mysql container id fact
    set_fact:
      mysql_container: '{{ mysql_container_id.stdout }}'
  - block:
    - name: Get the list of all OpenStack DB users
      register: openstack_db_users
      shell: jq -r 'to_entries[] | select(.key|endswith("::db::mysql::user")) | .value'
        /etc/puppet/hieradata/service_configs.json
    - name: List all DB users that match the DB users to be dropped
      register: mysql_db_users
      shell: for u in {{ openstack_db_users.stdout_lines | join(' ') }}; do podman
        exec -u root -it "{{ mysql_container }}" mysql -sNe "select concat('\`',user,'\`@\`',host,'\`')
        from mysql.user where user = '$u' and host != '%';"; done
    - debug:
        msg: '{{ mysql_db_users.stdout_lines }}'
      name: resulting DB users to be dropped
    - loop: '{{ mysql_db_users.stdout_lines }}'
      name: Drop all unneeded Openstack DB users
      shell: podman exec -u root -it "{{ mysql_container }}" mysql -sNe 'drop user
        {{ item }};'
    name: Mysql script to drop unused DB users
    when: ( mysql_container | length ) > 0
  name: Drop unused OpenStack DB users
  when:
  - step|int == 1
  - mysql_short_bootstrap_node_name|lower == ansible_facts['hostname']|lower
- block:
  - name: set is_mysql_bootstrap_node fact
    set_fact: is_mysql_bootstrap_node={{mysql_short_bootstrap_node_name|lower == ansible_facts['hostname']|lower}}
    tags: common
  - name: Check for galera retag statefile
    register: galera_retag_state_file
    stat:
      path: /var/lib/tripleo/galera_needs_retag
  name: Update galera pcs resource bundle for new container image - check
  when:
  - step|int == 1
- block:
  - name: Disable the galera cluster resource before container upgrade
    pacemaker_resource:
      resource: galera-bundle
      state: disable
      wait_for_resource: true
    register: output
    retries: 5
    until: output.rc == 0
  - block:
    - command: cibadmin --query --xpath "//storage-mapping[@id='mysql-log']"
      failed_when: false
      name: Check Mysql logging configuration in pacemaker
      register: mysql_logs_moved
    - block:
      - command: pcs resource bundle update galera-bundle storage-map add id=mysql-log
          source-dir=/var/log/containers/mysql target-dir=/var/log/mysql options=rw
        name: Add a bind mount for logging in the galera bundle
      - command: pcs resource update galera log=/var/log/mysql/mysqld.log
        name: Reconfigure Mysql log file in the galera resource agent
      name: Change Mysql logging configuration in pacemaker
      when: mysql_logs_moved.rc == 6
    name: Move Mysql logging to /var/log/containers
  - command: pcs resource bundle update galera-bundle container image={{galera_image_latest}}
    name: Update the galera bundle to use the new container image name
  - name: Enable the galera cluster resource
    pacemaker_resource:
      resource: galera-bundle
      state: enable
      wait_for_resource: true
    register: output
    retries: 5
    until: output.rc == 0
  name: Update galera pcs resource bundle for new container image
  when:
  - step|int == 1
  - is_mysql_bootstrap_node|bool
  - galera_retag_state_file.stat.exists|bool
- block:
  - file:
      path: /etc/tmpfiles.d/var-run-libvirt.conf
      state: absent
    name: Remove old tmpfiles.d config
  name: nova_libvirt_container_tmpfile_cleanup
  when: step|int == 1
- name: Get container virtlogd image
  set_fact:
    virtlogd_image: registry.redhat.io/rhosp-rhel9/openstack-nova-libvirt:17.1
  tags: always
  when: step|int == 1
- containers.podman.podman_image:
    force: true
    name: '{{ virtlogd_image }}'
  name: Force pull image novalibvirt
  when:
  - step|int == 1
- args:
    executable: /bin/bash
  failed_when: false
  name: Diff OS release in container image and baremetal
  register: libvirt_ubi_diff
  shell: 'diff /etc/redhat-release <(podman run {{ virtlogd_image }} cat /etc/redhat-release)

    '
  when: step|int == 1
- fail:
    msg: 'The host operating system versus container UBI does not match.

      {{ libvirt_ubi_diff.stdout }}

      Most likely container passed to NovaLibvirt was EL8 one.

      You have to pass the correct container for container-image-prepare.

      If you would continue all running workloads would get destroyed.

      '
  name: Fail if UBI of the container does not match RHEL of running host
  when:
  - '''system_upgrade'' not in ansible_run_tags'
  - step|int == 1
  - libvirt_ubi_diff.rc == 1
- block:
  - name: Get running image version
    register: old_virtlogd_image
    shell: 'podman ps --filter name=^nova_virtlogd$ --format "{% raw %}{{ .Image }}{%
      endraw %}"

      '
  - name: Switch running image to new image in wrapper script
    shell: 'set -o pipefail

      sed -i -e ''s|{{ old_virtlogd_image.stdout }}|{{ virtlogd_image }}|'' /var/lib/container-config-scripts/virtlogd_wrapper

      '
    when:
    - old_virtlogd_image.stdout != virtlogd_image
    - old_virtlogd_image.stdout != ''
  name: Switch virtlogd image before system upgrade
  tags:
  - never
  - system_upgrade
  when: step|int == 1
- block:
  - file:
      path: /etc/tmpfiles.d/var-run-libvirt.conf
      state: absent
    name: Remove old tmpfiles.d config
  name: nova_migration_target_tmpfile_cleanup
  when: step|int == 1
- file:
    path: /etc/cron.daily/containers-tmpwatch
    state: absent
  name: Ensure old cron.daily is absent
  when: step|int == 1
- block:
  - name: set is_rpc_rabbitmq_bootstrap_node fact
    set_fact: is_rpc_rabbitmq_bootstrap_node={{oslo_messaging_rpc_short_bootstrap_node_name|lower
      == ansible_facts['hostname']|lower}}
  - name: Check for rabbitmq_rpc retag statefile
    register: rabbitmq_rpc_retag_state_file
    stat:
      path: /var/lib/tripleo/rabbitmq_rpc_needs_retag
  name: Update rabbitmq-bundle pcs resource bundle for new container image
  when:
  - step|int == 1
- block:
  - name: Disable the rabbitmq cluster resource before container upgrade
    pacemaker_resource:
      resource: rabbitmq-bundle
      state: disable
      wait_for_resource: true
    register: output
    retries: 5
    until: output.rc == 0
  - command: cibadmin --query --xpath "//storage-mapping[@id='rabbitmq-log']"
    failed_when: false
    name: Check rabbitmq logging configuration in pacemaker
    register: rabbitmq_logs_moved
  - command: pcs resource bundle update rabbitmq-bundle storage-map add id=rabbitmq-log
      source-dir=/var/log/containers/rabbitmq target-dir=/var/log/rabbitmq options=rw
    name: Add a bind mount for logging in the rabbitmq bundle
    when: rabbitmq_logs_moved.rc == 6
  - command: pcs resource bundle update rabbitmq-bundle container image={{rabbitmq_rpc_image_latest}}
    name: Update the rabbitmq bundle to use the new container image name
  - name: Enable the rabbitmq cluster resource
    pacemaker_resource:
      resource: rabbitmq-bundle
      state: enable
      wait_for_resource: true
    register: output
    retries: 5
    until: output.rc == 0
  name: Update rabbitmq-bundle pcs resource bundle for new container image
  when:
  - step|int == 1
  - is_rpc_rabbitmq_bootstrap_node|bool
  - rabbitmq_rpc_retag_state_file.stat.exists|bool
- block:
  - lineinfile:
      dest: /etc/hosts
      line: '{{ undercloud_hosts_entries | join('''') }}'
      state: present
    name: Make sure the Undercloud hostname is included in /etc/hosts
    when:
    - undercloud_hosts_entries is defined
  name: Configure Podman registry
  when:
  - step|int == 1
- block:
  - name: Set login facts
    no_log: true
    set_fact:
      container_default_pids_limit: 4096
      container_events_logger_mechanism: journald
      container_registry_insecure_registries: []
      container_registry_login: false
      container_registry_logins: {}
      container_registry_logins_json: {}
  - name: Convert logins json to dict
    no_log: true
    set_fact:
      container_registry_logins: '{{ container_registry_logins_json | from_json }}'
    when:
    - container_registry_logins_json is string
    - container_registry_login | bool
    - (container_registry_logins_json | length) > 0
  - name: Set registry logins
    no_log: true
    set_fact:
      container_registry_logins: '{{ container_registry_logins_json }}'
    when:
    - container_registry_logins_json is mapping
    - container_registry_login | bool
    - (container_registry_logins_json | length) > 0
  - include_role:
      name: tripleo_podman
      tasks_from: tripleo_podman_install.yml
    name: Run podman install
    vars:
      tripleo_container_default_pids_limit: '{{ container_default_pids_limit }}'
      tripleo_container_events_logger_mechanism: '{{ container_events_logger_mechanism
        }}'
      tripleo_container_registry_insecure_registries: '{{ container_registry_insecure_registries
        }}'
  - include_role:
      name: tripleo_podman
      tasks_from: tripleo_podman_login.yml
    name: Run podman login
    vars:
      tripleo_container_registry_login: '{{ container_registry_login | bool }}'
      tripleo_container_registry_logins: '{{ container_registry_logins }}'
  name: Run podman install
  tags:
  - system_upgrade
  - system_upgrade_run
  when:
  - step|int == 1
- name: Stop snmp service
  service: name=snmpd state=stopped
  when:
  - step|int == 1
  - snmpd_enabled|bool
- block:
  - failed_when: false
    name: Disable tripleo-iptables.service
    register: systemd_tripleo_iptables
    systemd:
      enabled: false
      name: tripleo-iptables.service
      state: stopped
  - file:
      path: /etc/systemd/system/tripleo-iptables.service
      state: absent
    name: Cleanup tripleo-iptables.services
  - failed_when: false
    name: Disable tripleo-ip6tables.service
    register: systemd_tripleo_ip6tables
    systemd:
      enabled: false
      name: tripleo-ip6tables.service
      state: stopped
  - file:
      path: /etc/systemd/system/tripleo-ip6tables.service
      state: absent
    name: Cleanup tripleo-ip6tables.services
  - name: Reload systemd
    systemd:
      daemon_reload: true
    when:
    - (systemd_tripleo_iptables is changed or systemd_tripleo_ip6tables is changed)
  name: Cleanup tripleo-iptables services
  when:
  - (step | int) == 1
- name: Gather missing facts
  setup:
    gather_subset:
    - '!all'
    - '!min'
    - distribution
  tags:
  - always
- name: Set leapp facts
  set_fact:
    upgrade_leapp_command_options: ''
    upgrade_leapp_debug: false
    upgrade_leapp_devel_skip: ''
    upgrade_leapp_enabled: "{{ _upgradeLeappEnabled | bool and\n   ansible_facts['distribution']\
      \ == 'RedHat' and\n   ansible_facts['distribution_major_version'] is version('8',\
      \ '==') }}"
    upgrade_leapp_post_reboot_delay: 120
    upgrade_leapp_reboot_timeout: 3600
  tags:
  - always
  vars:
    _upgradeLeappEnabled: false