Merge branch 'stackhpc/yoga' into upstream/yoga-2024-02-15

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @stackhpc/kayobe

.github/workflows/tag-and-release.yml

@@ -0,0 +1,12 @@
+---
+name: Tag & Release
+'on':
+  push:
+    branches:
+      - stackhpc/yoga
+permissions:
+  actions: read
+  contents: write
+jobs:
+  tag-and-release:
+    uses: stackhpc/.github/.github/workflows/tag-and-release.yml@main

.github/workflows/tox.yml

@@ -0,0 +1,7 @@
+---
+name: Tox Continuous Integration
+'on':
+  pull_request:
+jobs:
+  tox:
+    uses: stackhpc/.github/.github/workflows/tox.yml@main

ansible/firewall.yml

@@ -5,8 +5,7 @@
     - config
     - firewall
   tasks:
-    - name: Configure the firewall
+    - name: Configure firewalld
       include_role:
-        name: "firewall-{{ ansible_facts.os_family | lower }}"
-      when:
-        - ansible_facts.os_family == 'RedHat'
+        name: "firewalld"
+

ansible/group_vars/all/apt

@@ -45,3 +45,12 @@ apt_repositories: []
 # when replacing the distribution repositories via apt_repositories.
 # Default is false.
 apt_disable_sources_list: false
+
+# List of Apt auth configurations. Each item is a dict with the following keys:
+# * machine: 'machine' entry in the auth file
+# * login: 'login' entry in the auth file
+# * password: 'password' entry in the auth file
+# * filename: Name of a file in /etc/apt/auth.conf.d in which to store
+#   the auth configuration. The extension should be ``.conf``.
+# Default is an empty list.
+apt_auth: []

ansible/group_vars/all/ipa

@@ -19,6 +19,9 @@ ipa_builder_source_url: "https://opendev.org/openstack/ironic-python-agent-build
 # Version of IPA builder source repository. Default is {{ openstack_branch }}.
 ipa_builder_source_version: "{{ openstack_branch }}"
 
+# List of additional build host packages to install.
+ipa_build_dib_host_packages_extra: []
+
 # List of default Diskimage Builder (DIB) elements to use when building IPA
 # images. Default is ["centos", "enable-serial-console",
 # "ironic-python-agent-ramdisk"].

ansible/group_vars/all/kolla

@@ -127,6 +127,8 @@ overcloud_container_image_regex_map:
     enabled: "{{ kolla_enable_barbican | bool }}"
   - regex: ^blazar
     enabled: "{{ kolla_enable_blazar | bool }}"
+  - regex: ^caso
+    enabled: "{{ kolla_enable_caso | bool }}"
   - regex: ^ceilometer
     enabled: "{{ kolla_enable_ceilometer | bool }}"
   - regex: ^cinder
@@ -524,6 +526,7 @@ kolla_enable_rabbitmq: "yes"
 kolla_enable_aodh: "no"
 kolla_enable_barbican: "no"
 kolla_enable_blazar: "no"
+kolla_enable_caso: "no"
 kolla_enable_ceilometer: "no"
 kolla_enable_central_logging: "no"
 kolla_enable_cinder: "no"

ansible/group_vars/all/overcloud-dib

@@ -10,6 +10,9 @@
 # is {{ os_distribution == 'rocky' }}. This will change in a future release.
 overcloud_dib_build_host_images: "{{ os_distribution == 'rocky' }}"
 
+# List of additional build host packages to install.
+overcloud_dib_host_packages_extra: []
+
 # List of overcloud host disk images to build. Each element is a dict defining
 # an image in a format accepted by the stackhpc.os-images role. Default is to
 # build an image named "deployment_image" configured with the overcloud_dib_*

ansible/infra-vm-host-configure.yml

@@ -9,7 +9,7 @@
 - import_playbook: "wipe-disks.yml"
 - import_playbook: "users.yml"
 - import_playbook: "dev-tools.yml"
-- import_playbook: "disable-selinux.yml"
+- import_playbook: "selinux.yml"
 - import_playbook: "network.yml"
 - import_playbook: "firewall.yml"
 - import_playbook: "tuned.yml"

ansible/kolla-ansible.yml

@@ -91,13 +91,6 @@
         kolla_ansible_passwords_path: "{{ kayobe_env_config_path }}/kolla/passwords.yml"
         kolla_overcloud_group_vars_path: "{{ kayobe_env_config_path }}/kolla/inventory/group_vars"
         kolla_ansible_certificates_path: "{{ kayobe_env_config_path }}/kolla/certificates"
-        # NOTE: This differs from the default SELinux mode in kolla ansible,
-        # which is permissive. The justification for using this mode is twofold:
-        # 1. it avoids filling up the audit log
-        # 2. it avoids an issue seen when using diskimage-builder in the bifrost
-        # container.
-        # We could look at making the SELinux mode configurable in future.
-        kolla_selinux_state: disabled
         kolla_inspector_dhcp_pool_start: "{{ inspection_net_name | net_inspection_allocation_pool_start }}"
         kolla_inspector_dhcp_pool_end: "{{ inspection_net_name | net_inspection_allocation_pool_end }}"
         kolla_inspector_netmask: "{{ inspection_net_name | net_mask }}"

ansible/kolla-openstack.yml

@@ -94,6 +94,7 @@
     switch_type_to_device_type:
       arista: netmiko_arista_eos
       dellos9: netmiko_dell_force10
+      dellos10: netmiko_dell_os10
       dell-powerconnect: netmiko_dell_powerconnect
       junos: netmiko_juniper
       openvswitch: netmiko_ovs_linux

ansible/overcloud-host-configure.yml

@@ -9,7 +9,7 @@
 - import_playbook: "wipe-disks.yml"
 - import_playbook: "users.yml"
 - import_playbook: "dev-tools.yml"
-- import_playbook: "disable-selinux.yml"
+- import_playbook: "selinux.yml"
 - import_playbook: "network.yml"
 - import_playbook: "firewall.yml"
 - import_playbook: "tuned.yml"

ansible/overcloud-host-image-build.yml

@@ -22,6 +22,7 @@
           include_role:
             name: stackhpc.os-images
           vars:
+            os_images_package_dependencies_extra: "{{ overcloud_dib_host_packages_extra | select | list }}"
             os_images_venv: "{{ virtualenv_path }}/overcloud-host-image-dib"
             os_images_package_state: latest
             os_images_upper_constraints_file: "{{ overcloud_dib_upper_constraints_file }}"

ansible/overcloud-ipa-build.yml

@@ -36,6 +36,7 @@
           include_role:
             name: stackhpc.os-images
           vars:
+            os_images_package_dependencies_extra: "{{ ipa_build_dib_host_packages_extra | select | list }}"
             os_images_venv: "{{ virtualenv_path }}/ipa-build-dib"
             os_images_package_state: latest
             os_images_upper_constraints_file: "{{ ipa_build_upper_constraints_file }}"

ansible/overcloud-provision.yml

@@ -146,7 +146,6 @@
         bash -c '
         export OS_CLOUD=bifrost &&
         export BIFROST_INVENTORY_SOURCE=ironic &&
-        export OS_BAREMETAL_API_VERSION=1.34 &&
         ansible-playbook -vvvv
         /bifrost/playbooks/deploy-dynamic.yaml
         --inventory /etc/bifrost/inventory/

ansible/physical-network.yml

@@ -27,6 +27,7 @@
       - arista
       - dellos6
       - dellos9
+      - dellos10
       - dell-powerconnect
       - junos
       - mellanox
@@ -111,7 +112,7 @@
       arista_switch_interface_config: "{{ switch_interface_config }}"
 
 - name: Ensure DellOS physical switches are configured
-  hosts: switches_of_type_dellos6:switches_of_type_dellos9:&switches_in_display_mode_False
+  hosts: switches_of_type_dellos6:switches_of_type_dellos9:switches_of_type_dellos10:&switches_in_display_mode_False
   gather_facts: no
   roles:
     - role: ssh-known-host

ansible/roles/apt/defaults/main.yml

@@ -48,3 +48,12 @@ apt_repositories: []
 # when replacing the distribution repositories via apt_repositories.
 # Default is false.
 apt_disable_sources_list: false
+
+# List of Apt auth configurations. Each item is a dict with the following keys:
+# * machine: 'machine' entry in the auth file
+# * login: 'login' entry in the auth file
+# * password: 'password' entry in the auth file
+# * filename: Name of a file in /etc/apt/auth.conf.d in which to store
+#   the auth configuration. The extension should be ``.conf``.
+# Default is an empty list.
+apt_auth: []

ansible/roles/apt/files/auth_schema.json

@@ -0,0 +1,28 @@
+{
+    "$schema": "https://json-schema.org/draft/2020-12/schema",
+    "description": "List of Apt auth configurations",
+    "type": "array",
+    "items": {
+        "description": "Apt auth configuration",
+        "type": "object",
+        "required": ["machine", "login", "password", "filename"],
+        "properties": {
+            "machine": {
+                "type": "string",
+		"minLength": 1
+            },
+            "login": {
+                "type": "string",
+		"minLength": 1
+            },
+            "password": {
+                "type": "string",
+		"minLength": 1
+            },
+            "filename": {
+                "type": "string",
+		"minLength": 1
+            }
+        }
+    }
+}

ansible/roles/apt/tasks/auth.yml

@@ -0,0 +1,32 @@
+---
+- name: Validate Apt auth config
+  ansible.utils.validate:
+    criteria: "{{ lookup('ansible.builtin.file', 'auth_schema.json') }}"
+    data: "{{ apt_auth }}"
+
+- name: Ensure the Apt auth.conf.d directory exists
+  ansible.builtin.file:
+    path: "/etc/apt/auth.conf.d"
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+  become: true
+
+- name: Configure Apt auth files
+  ansible.builtin.template:
+    src: "auth.conf.j2"
+    dest: "/etc/apt/auth.conf.d/{{ auth.filename }}"
+    owner: root
+    group: root
+    mode: 0600
+  become: true
+  # apt_auth contains sensitive data, so iterate over indices to avoid exposing
+  # them in Ansible output.
+  loop: "{{ apt_auth | map(attribute='filename') }}"
+  loop_control:
+    index_var: auth_index
+  vars:
+    auth: "{{ apt_auth[auth_index] }}"
+  notify:
+    - Update apt cache

ansible/roles/apt/tasks/main.yml

@@ -6,3 +6,5 @@
 - import_tasks: keys.yml
 
 - import_tasks: repos.yml
+
+- import_tasks: auth.yml

ansible/roles/apt/templates/auth.conf.j2

@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+machine {{ auth.machine }}
+login {{ auth.login }}
+password {{ auth.password }}

ansible/roles/dell-switch/README.md

@@ -1,10 +1,10 @@
 Dell Switch
 ===========
 
-This role configures Dell switches using the `dellos6` or `dellos9` Ansible
-modules.  It provides a fairly minimal abstraction of the configuration
-interface provided by the `dellos` modules, allowing for application of
-arbitrary switch configuration options.
+This role configures Dell switches using the `dellos6`, `dellos9`, or
+`dellos10` Ansible modules.  It provides a fairly minimal abstraction of the
+configuration interface provided by the `dellos` modules, allowing for
+application of arbitrary switch configuration options.
 
 Requirements
 ------------
@@ -14,7 +14,8 @@ The switches should be configured to allow SSH access.
 Role Variables
 --------------
 
-`dell_switch_type` is the type of Dell switch. One of `dellos6`, `dellos9`.
+`dell_switch_type` is the type of Dell switch. One of `dellos6`, `dellos9`, or
+`dellos10`.
 
 `dell_switch_provider` is authentication provider information passed as the
 `provider` argument to the `dellos` modules.

ansible/roles/dell-switch/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-# Type of Dell switch. One of dellos6, dellos9.
+# Type of Dell switch. One of dellos6, dellos9, or dellos10.
 dell_switch_type:
 
 # Authentication provider information.

ansible/roles/dell-switch/tasks/main.yml

@@ -12,3 +12,10 @@
     provider: "{{ dell_switch_provider }}"
     src: dellos9-config.j2
   when: dell_switch_type == 'dellos9'
+
+- name: Ensure DellOS10 switches are configured
+  local_action:
+    module: dellos10_config
+    provider: "{{ dell_switch_provider }}"
+    src: "{{ lookup('template', 'dellos10-config.j2') }}"
+  when: dell_switch_type == 'dellos10'

ansible/roles/dell-switch/templates/dellos10-config.j2

@@ -0,0 +1,16 @@
+#jinja2: trim_blocks: True,lstrip_blocks: True
+
+{% for line in dell_switch_config %}
+{{ line }}
+{% endfor %}
+
+{% for interface, config in dell_switch_interface_config.items() %}
+interface {{ interface }}
+{% if config.description is defined %}
+description {{ config.description }}
+{% endif %}
+{% for line in config.config %}
+{{ line }}
+{% endfor %}
+exit
+{% endfor %}

ansible/roles/dnf/tasks/custom-repo.yml

@@ -16,12 +16,14 @@
     metalink: "{{ item.value.metalink | default(omit)}}"
     mirrorlist: "{{ item.value.mirrorlist | default(omit)}}"
     mirrorlist_expire: "{{ item.value.mirrorlist_expire | default(omit)}}"
+    password: "{{ item.value.password | default(omit) }}"
     priority: "{{ item.value.priority | default(omit)}}"
     proxy: "{{ item.value.proxy | default(omit)}}"
     proxy_password: "{{ item.value.proxy_password | default(omit)}}"
     proxy_username: "{{ item.value.proxy_username | default(omit)}}"
     repo_gpgcheck: "{{ item.value.repo_gpgcheck | default(omit)}}"
     sslverify: "{{ item.value.sslverify | default(omit)}}"
+    username: "{{ item.value.username | default(omit) }}"
     state: "{{ item.value.state | default(omit)}}"
   with_dict: "{{ dnf_custom_repos }}"
   register: register_dnf_command

ansible/roles/ironic-inspector-rules/README.md

@@ -26,8 +26,7 @@ compatible with the `auth` argument of `os_*` Ansible modules.
 
 `ironic_inspector_cacert` is an optional path to a CA certificate.
 
-`ironic_inspector_url` is the URL of Ironic Inspector API endpoint,
-required if no authentication is used.
+`ironic_inspector_cloud` is the name of a cloud in ``clouds.yaml``.
 
 `ironic_inspector_rules` is a list of introspection rules which should
 exist. See the Inspector rules API for details of parameters available