heat_template_version: wallaby description: > TripleO Package installation settings parameters: ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. Use parameter_merge_strategies to merge it with the defaults. type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json EnablePackageInstall: default: 'false' description: Set to true to enable package installation at deploy time type: boolean UpgradeLeappEnabled: description: Use Leapp for operating system upgrade type: boolean default: false UpgradeLeappDebug: description: Print debugging output when running Leapp type: boolean default: false UpgradeLeappDevelSkip: description: | Skip Leapp checks by setting env variables when running Leapp in development/testing. For example, LEAPP_DEVEL_SKIP_RHSM=1. type: string default: '' tags: - role_specific UpgradeLeappCommandOptions: description: | In case or using UpgradeLeappDevelSkip with LEAPP_NO_RHSM=1 user can specify --enablerepo --enablerepo options for leapp to use these repositories for the upgrade process. type: string default: '' tags: - role_specific UpgradeLeappRebootTimeout: description: Timeout (seconds) for the OS upgrade phase via Leapp type: number default: 3600 UpgradeLeappPostRebootDelay: description: | Maximum (seconds) to wait for machine to reboot and respond to a test command. type: number default: 120 UpgradeLeappToRemove: default: [] description: List of packages to remove during Leapp upgrade. type: comma_delimited_list tags: - role_specific UpgradeLeappToInstall: default: [] description: List of packages to install after Leapp upgrade. type: comma_delimited_list tags: - role_specific LeappUnloadKernelDrivers: type: comma_delimited_list default: [] description: | List of modules to unload from the system due to being incompatible with the next RHEL version. If not being unloaded Leapp will inhibit the upgrade. LeappActorsToRemove: type: comma_delimited_list default: [] description: | List of actors to remove from the leapp process to prevent them from inhibiting the upgrade. LeappRepoInitCommand: type: string description: | Command or script snippet to run on all overcloud nodes to initialize the Leapp process. E.g. a repository switch. default: '' tags: - role_specific LeappInitCommand: type: string description: | Command or script snippet to run on all overcloud nodes to apply any necessary workarounds to get Leapp working. default: '' tags: - role_specific NICsPrefixesToUdev: default: [] description: | List of NIC prefixes to hardcode into udev in order to prevent renaming. type: comma_delimited_list tags: - role_specific LeappPreRebootCommand: type: string description: | Command or script snippet to run on all overcloud nodes to apply any necessary workarounds before rebooting into Leapp. default: '' tags: - role_specific LeappPostRebootCommand: type: string description: | Command or script snippet to run on all overcloud nodes to apply any necessary workarounds after rebooting from Leapp. default: '' tags: - role_specific UpgradeInitCommand: type: string description: | Command or script snippet to run on all overcloud nodes to initialize the upgrade process. E.g. a repository switch. default: '' tags: - role_specific UpgradeInitCommonCommand: type: string description: | Common commands required by the upgrades process. This should not normally be modified by the operator and is set and unset in the major-upgrade-composable-steps.yaml and major-upgrade-converge.yaml environment files. default: '' SkipPackageUpdate: default: false description: Set to true to skip the update all packages type: boolean SkipRhelEnforcement: default: false description: Whether to avoid or not RHEL/OSP policies enforcement on Red Hat. Mainly for CI purpose. It shouldn't matter on other distributions where it's disabled in the role. Set to true to skip the enforcement. type: boolean DnfStreams: default: [] description: List of streams to be configured before updating packages. Each list element contains a dictionary with the following values defined module[mandatory], stream[mandatory], distribution_version[mandatory] and profile[optional]. If the profile is not specified 'common' will be used instead. type: json tags: - role_specific BaseTripleoPackages: default: [] description: List of packages to install. type: comma_delimited_list tags: - role_specific ContainerImageRegistryLogin: type: boolean default: false description: Flag to enable container registry login actions during the deployment. Setting this to true will cause login calls to be performed during the deployment. resources: RoleParametersValue: type: OS::Heat::Value properties: type: json value: map_replace: - map_replace: - dnf_module_list: DnfStreams upgrade_leapp_devel_skip: UpgradeLeappDevelSkip upgrade_leapp_command_options: UpgradeLeappCommandOptions upgrade_leapp_to_remove: UpgradeLeappToRemove upgrade_leapp_to_install: UpgradeLeappToInstall leapp_repo_init_command: LeappRepoInitCommand leapp_init_command: LeappInitCommand nics_prefixes_to_keep: NICsPrefixesToUdev upgrade_leapp_modules_to_unload: LeappUnloadKernelDrivers upgrade_leapp_actors_to_remove: LeappActorsToRemove upgrade_init_command: UpgradeInitCommand base_tripleo_packages: BaseTripleoPackages leapp_pre_reboot_command: LeappPreRebootCommand leapp_post_reboot_command: LeappPostRebootCommand - values: {get_param: [RoleParameters]} - values: DnfStreams: {get_param: DnfStreams} UpgradeLeappDevelSkip: {get_param: UpgradeLeappDevelSkip} UpgradeLeappCommandOptions: {get_param: UpgradeLeappCommandOptions} UpgradeLeappToRemove: {get_param: UpgradeLeappToRemove} UpgradeLeappToInstall: {get_param: UpgradeLeappToInstall} LeappUnloadKernelDrivers: {get_param: LeappUnloadKernelDrivers} LeappPreRebootCommand: {get_param: LeappPreRebootCommand} LeappPostRebootCommand: {get_param: LeappPostRebootCommand} LeappActorsToRemove: {get_param: LeappActorsToRemove} UpgradeInitCommand: {get_param: UpgradeInitCommand} LeappRepoInitCommand: {get_param: LeappRepoInitCommand} LeappInitCommand: {get_param: LeappInitCommand} NICsPrefixesToUdev: {get_param: NICsPrefixesToUdev} BaseTripleoPackages: {get_param: BaseTripleoPackages} Podman: type: ../../deployment/podman/podman-baremetal-ansible.yaml properties: ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} conditions: podman_requires_login: {equals: [{get_param: ContainerImageRegistryLogin}, true]} outputs: role_data: description: Role data for the TripleO package settings value: service_name: tripleo_packages config_settings: tripleo::packages::enable_install: {get_param: EnablePackageInstall} step_config: | include ::tripleo::packages upgrade_tasks: list_concat: - - name: Gather missing facts setup: gather_subset: - '!all' - '!min' - 'distribution' tags: - always - name: Set leapp facts set_fact: upgrade_leapp_enabled: >- {{ _upgradeLeappEnabled | bool and ansible_facts['distribution'] == 'RedHat' and ansible_facts['distribution_major_version'] is version('8', '==') }} upgrade_leapp_debug: {get_param: UpgradeLeappDebug} upgrade_leapp_devel_skip: {get_attr: [RoleParametersValue, value, 'upgrade_leapp_devel_skip']} upgrade_leapp_command_options: {get_attr: [RoleParametersValue, value, 'upgrade_leapp_command_options']} upgrade_leapp_reboot_timeout: {get_param: UpgradeLeappRebootTimeout} upgrade_leapp_post_reboot_delay: {get_param: UpgradeLeappPostRebootDelay} vars: _upgradeLeappEnabled: {get_param: UpgradeLeappEnabled} tags: - always - name: system_upgrade_prepare step 3 tags: - never - system_upgrade - system_upgrade_prepare when: - step|int == 3 - upgrade_leapp_enabled block: - name: Run LeappRepoInitCommand shell: list_join: - '' - - "#!/bin/bash\n\n" - {get_attr: [RoleParametersValue, value, 'leapp_repo_init_command']} # OSP does not use firewalld #2295402 - name: Remove firewalld bindings package: name: python3-firewall state: absent - name: install leapp package: name: leapp-repository-openstack state: latest - name: Run LeappInitCommand shell: list_join: - '' - - "#!/bin/bash\n\n" - {get_attr: [RoleParametersValue, value, 'leapp_init_command']} - name: Remove vdo package: name: vdo state: absent - name: "add packages into Leapp's to_remove file" vars: pkg_to_remove: {get_attr: [RoleParametersValue, value, 'upgrade_leapp_to_remove']} lineinfile: path: "/etc/leapp/transaction/to_remove" line: "{{ item }}" loop: "{{ pkg_to_remove }}" - name: "add packages into Leapp's to_install file" vars: pkg_to_install: {get_attr: [RoleParametersValue, value, 'upgrade_leapp_to_install']} lineinfile: path: "/etc/leapp/transaction/to_install" line: "{{ item }}" loop: "{{ pkg_to_install }}" - name: "check sshd_config file" stat: path: "/etc/ssh/sshd_config" register: sshd_config_result - name: "add PermitRootLogin option for leapp" lineinfile: path: "/etc/ssh/sshd_config" regexp: "^(# *)?PermitRootLogin" line: "PermitRootLogin without-password" - name: Remove paunch-services package: name: paunch-services state: absent - name: tripleo_container_manage reconfiguration import_role: name: tripleo_container_manage tasks_from: shutdown.yml - name: system_upgrade_prepare step 4 tags: - never - system_upgrade - system_upgrade_prepare when: - step|int == 4 - upgrade_leapp_enabled block: - name: "Delete the kernel modules in Leapp database (device_driver_deprecation_data.json)" vars: modules_to_unload: { get_attr: [RoleParametersValue, value, 'upgrade_leapp_modules_to_unload']} shell: > set -o pipefail && jq '. | del(.data[] | select(.driver_name == "{{ item }}"))' /etc/leapp/files/device_driver_deprecation_data.json > /etc/leapp/files/device_driver_deprecation_data.json_modified && mv /etc/leapp/files/device_driver_deprecation_data.json_modified /etc/leapp/files/device_driver_deprecation_data.json loop: "{{ modules_to_unload }}" - name: Remove leapp actors to prevent them inhibiting the upgrade vars: actors_to_remove: { get_attr: [RoleParametersValue, value, 'upgrade_leapp_actors_to_remove']} command: cmd: find /usr/share/leapp-repository/repositories/ -name {{ item }} -type d -print -exec rm -rf "{}" + loop: "{{ actors_to_remove }}" - name: set leapp required answers shell: | leapp answer --add --section check_vdo.confirm=True - name: Replace EFI grub.cfg with redirect to /boot/grub2/grub.cfg import_role: name: tripleo_kernel tasks_from: efigrub.yml - name: Keep nics with prefix in NICsPrefixesToUdev from renaming vars: nics_prefixes_to_keep: {get_attr: [RoleParametersValue, value, 'nics_prefixes_to_keep']} # (.ifname | test("^.*\\..*$") | not) removes vlan nics like ens1.1 # (.ifname | test("^.*v[0-9]*$") | not) removes virtual function nics ens1v1 # (.ifname | test("^.*_[0-9]*$") | not) also removes virtual function nics ens1_1 shell: > ip -j link show | \ jq -r --arg prefix "{{ item }}" '.[] | select((.ifname | startswith($prefix)) and (.ifname | test("^.*v[0-9]*$") | not) and (.ifname | test("^.*_[0-9]*$") | not) and (.ifname | test("^.*\\..*$") | not)) | if .permaddr? then .address=.permaddr else . end | "SUBSYSTEM==\"net\",ACTION==\"add\",DRIVERS==\"?*\"," + "NAME=\"" + .ifname +"\" ,ATTR{address}==\"" + .address + "\""' >> /etc/udev/rules.d/70-rhosp-persistent-net.rules loop: "{{ nics_prefixes_to_keep|list }}" - name: run leapp upgrade (download packages) shell: > {% if upgrade_leapp_devel_skip|default(false) %}{{ upgrade_leapp_devel_skip }}{% endif %} leapp upgrade {% if upgrade_leapp_debug|default(true) %}--debug{% endif %} {% if upgrade_leapp_command_options|default(false) %}{{ upgrade_leapp_command_options }}{% endif %} when: upgrade_leapp_enabled - name: system_upgrade_run step 4 tags: - never - system_upgrade - system_upgrade_run # In case someone needs to re-run system_upgrade_run post-tasks # but doesn't want to reboot, they can run with # `--skip-tags system_upgrade_reboot`. - system_upgrade_reboot when: - step|int == 4 - upgrade_leapp_enabled - "'Undercloud' not in group_names" block: - name: Run LeappPreRebootCommand shell: list_join: - '' - - "#!/bin/bash\n\n" - {get_attr: [RoleParametersValue, value, 'leapp_pre_reboot_command']} - name: Check that nova_libvirt is running shell: | podman ps --filter name=^nova_virtlogd$ --format "{% raw %}{{ .Image }}{% endraw %}" register: is_virtlogd_image_running - name: Remove systemd files to disable them file: path: "/etc/systemd/system/{{ item }}" state: absent with_items: - tripleo_nova_libvirt.service - tripleo_nova_virtlogd_wrapper.service - tripleo_nova_libvirt.target when: is_virtlogd_image_running.stdout != '' - name: reboot to perform the upgrade reboot: reboot_timeout: "{{upgrade_leapp_reboot_timeout}}" # TODO(holser): ansible 2.10 and higher provides boot_time_command to detect boot_id before and after reboot. test_command: >- source /etc/os-release; [ "${VERSION_ID%.*}" -ge "8" ] && systemctl is-system-running | grep -qE "running|degraded" || exit 1 post_reboot_delay: "{{ upgrade_leapp_post_reboot_delay }}" - name: Set selinux back to enforcing after leapp reboot selinux: policy: targeted state: enforcing - name: Run LeappPostRebootCommand shell: list_join: - '' - - "#!/bin/bash\n\n" - {get_attr: [RoleParametersValue, value, 'leapp_post_reboot_command']} - name: Host packages setup step0 tags: setup_packages when: step|int == 0 block: - name: Package and repo update tasks block: - name: Run UpgradeInitCommand shell: list_join: - '' - - "#!/bin/bash\n\n" - "if [[ -f /etc/resolv.conf.save ]] ; then rm /etc/resolv.conf.save; fi\n\n" - {get_attr: [RoleParametersValue, value, 'upgrade_init_command']} - name: Run UpgradeInitCommonCommand shell: list_join: - '' - - "#!/bin/bash\n\n" - {get_param: UpgradeInitCommonCommand} - name: Ensure DNF modules have the right stream vars: dnf_module_list: {get_attr: [RoleParametersValue, value, 'dnf_module_list']} dnf: name: "@{{ item.module }}:{{ item.stream }}/{{ item.profile|default('common') }}" state: present loop: "{{ dnf_module_list|list }}" when: - dnf_module_list|length > 0 - item.distribution_version is defined - ansible_facts['distribution_major_version'] is version(item.distribution_version, '==') - name: Ensure TripleO prerequisite packages are installed package: name: - jq - lvm2 - openstack-selinux - os-net-config - puppet-tripleo - python3-heat-agent* - rsync state: present when: ansible_facts['distribution_major_version'] is version('8', '==') - name: Ensure TripleO prerequisite packages are installed and use role based heat variable to provide specific list of packages vars: base_tripleo_packages: {get_attr: [RoleParametersValue, value, 'base_tripleo_packages']} package: name: "{{ base_tripleo_packages }}" state: present when: - ansible_facts['distribution_major_version'] is version('8', '==') - base_tripleo_packages|length > 0 # Due to bug #2240185 where # Quay does not send schema 1 images as signed # Podman in version 4 and higher fails to run if signatures is missing from schema 1 manifest # Tripleo was using priority in accept headers which registries didn't understand and responsed with schema 1 # We now get images on the disk that might not be updateable and we are in middle of upgrade where # these images are "corrupt" from podman's point of view. We fix this by checking if the image is # schema 1 and if yes if it has signatures element in manifest. If it does not we just put empty # signatures which makes podman happy. - name: WA for 2240185 - If the image is schema 1 and lacks signatures than add empty signatures shell: | for manifest_file in `find /var/lib/containers/storage/overlay-images/ -name 'manifest'` do cat <<< $( jq 'if .schemaVersion == 1 then if has("signatures") then . else .signatures=[] end else . end' $manifest_file ) > $manifest_file done when: ansible_facts['distribution_major_version'] is version('8', '==') - name: check if libvirt is installed command: /usr/bin/rpm -q libvirt-daemon failed_when: false register: libvirt_installed check_mode: false - name: make sure libvirt services are disabled and masked service: name: "{{ item }}" state: stopped enabled: false masked: true daemon_reload: true loop: - libvirtd.service - virtlogd.socket when: - libvirt_installed.rc == 0 - name: Host packages setup step2 tags: setup_packages when: step|int == 2 block: - name: Special treatment for OpenvSwitch tripleo_ovs_upgrade: register: ovs_upgrade - name: Always ensure the openvswitch service is enabled and running after upgrades service: name: openvswitch enabled: true state: started when: - ovs_upgrade.changed|bool - name: Host packages setup step3 tags: setup_packages when: step|int == 3 block: - name: Check for os-net-config upgrade shell: "yum check-upgrade | awk '/os-net-config/{print}'" register: os_net_config_need_upgrade - name: Check that os-net-config has legacy configuration stat: path: /etc/os-net-config/config.json get_attributes: false get_checksum: false get_mime: false register: stat_config_json - name: Check that os-net-config has new configuration stat: path: /etc/os-net-config/config.yaml get_attributes: false get_checksum: false get_mime: false register: stat_config_yaml - name: Slurp the os-net-config config.json slurp: src: /etc/os-net-config/config.json register: os_config_json when: - stat_config_json.stat.exists - not stat_config_yaml.stat.exists - name: Write updated /etc/os-net-config/config.yaml copy: content: "{{ os_config_json.content | b64decode | from_json | to_yaml }}" dest: '/etc/os-net-config/config.yaml' when: - stat_config_json.stat.exists - not stat_config_yaml.stat.exists - name: Remove legacy os-net-config configuration command: mv /etc/os-net-config/config.json /etc/os-net-config/deprecated_config.json when: - stat_config_json.stat.exists - block: - name: Upgrade os-net-config package: name=os-net-config state=latest - name: take new os-net-config parameters into account now command: os-net-config --no-activate -c /etc/os-net-config/config.yaml -v --detailed-exit-codes register: os_net_config_upgrade failed_when: os_net_config_upgrade.rc not in [0,2] changed_when: os_net_config_upgrade.rc == 2 when: - os_net_config_need_upgrade.stdout - stat_config_yaml.stat.exists or stat_config_json.stat.exists # Exclude ansible-core due to https://bugs.launchpad.net/tripleo/+bug/1998501 - name: Update all packages when: - not skip_package_update|bool yum: name: '*' state: latest exclude: ansible-core vars: skip_package_update: {get_param: SkipPackageUpdate} - name: Check whether openvswitch exits command: systemctl status openvswitch.service register: ovs_service ignore_errors: true - name: Always ensure the openvswitch service is enabled and running after upgrades rhbz#2329821 service: name: openvswitch enabled: true state: started when: - ovs_service.stderr != "Unit openvswitch.service could not be found." - if: - podman_requires_login - {get_attr: [Podman, role_data, workaround_upgrade_tasks]} - [] external_upgrade_tasks: - name: Clean up upgrade artifacts when: step|int == 1 tags: - never - system_upgrade_cleanup block: - name: cleanup tripleo_persist include_role: name: tripleo_persist tasks_from: cleanup.yml update_tasks: - name: Enforce RHOSP rules regarding subscription. include_role: name: tripleo_redhat_enforce vars: skip_rhel_enforcement: {get_param: SkipRhelEnforcement} when: - step|int == 0 - ansible_facts['distribution'] == 'RedHat' - not (skip_rhel_enforcement | bool) - name: Ensure DNF modules have the right stream enabled vars: dnf_module_list: {get_attr: [RoleParametersValue, value, 'dnf_module_list']} tripleo_dnf_stream: name: "{{ item.module }}:{{ item.stream }}" state: enabled loop: "{{ dnf_module_list|list }}" when: - step|int == 0 - dnf_module_list|length > 0 - item.distribution_version is defined - ansible_facts['distribution_major_version'] is version(item.distribution_version, '==') - name: Check for existing yum.pid stat: path=/run/yum.pid register: yum_pid_file when: step|int == 0 or step|int == 3 - name: Exit if existing yum process fail: msg="ERROR existing yum.pid detected - can't continue! Please ensure there is no other package update process for the duration of the minor update worfklow. Exiting." when: (step|int == 0 or step|int == 3) and yum_pid_file.stat.exists - name: Special treatment for OpenvSwitch tripleo_ovs_upgrade: when: - step|int == 2 register: ovs_upgrade - name: Always ensure the openvswitch service is enabled and running after upgrades service: name: openvswitch enabled: yes state: started when: - step|int == 2 - ovs_upgrade.changed|bool - name: Update packages and EFI grub.cfg when: - step|int == 3 - not skip_package_update|bool block: # Exclude ansible until https://github.com/ansible/ansible/issues/56636 # is available - name: Update all packages yum: name: '*' state: latest exclude: ansible-core - name: Replace EFI grub.cfg with redirect to /boot/grub2/grub.cfg import_role: name: tripleo_kernel tasks_from: efigrub.yml vars: skip_package_update: {get_param: SkipPackageUpdate} # This is failsafe unless openvswitch package does something # to the systemd service state. - name: Ensure openvswitch is running after update when: step|int == 3 service: name: openvswitch enabled: yes state: started ignore_errors: true