From 0e6fe1220392de5fb3d7ce3d98bc9d3d230cb09c Mon Sep 17 00:00:00 2001 From: Maksim Malchuk Date: Fri, 14 Oct 2022 17:56:20 +0300 Subject: [PATCH 1/4] Fix an issue when user forgot combine custom passwords Fixes an issue when user forgot to combine 'kolla_ansible_custom_passwords', 'kolla_ansible_default_custom_passwords' and own dictionary with custom passwords in configuration files. Now 'kolla_ansible_extra_custom_passwords' should provide only user custom passwords to add or override in the passwords.yml. Change-Id: I4813a1f6ab9cb566596e806bd0ada6dff342d119 Signed-off-by: Maksim Malchuk (cherry picked from commit 73abf0e57ee3aaeefa53eaf4fb7b1ed5f5c96933) --- ansible/inventory/group_vars/all/kolla | 8 ++++- .../configuration/reference/kolla-ansible.rst | 34 ++++++++++++------- etc/kayobe/kolla.yml | 4 +++ ...-passwords-overrides-065fd6bb8eb9689d.yaml | 14 ++++++++ 4 files changed, 46 insertions(+), 14 deletions(-) create mode 100644 releasenotes/notes/kolla-passwords-overrides-065fd6bb8eb9689d.yaml diff --git a/ansible/inventory/group_vars/all/kolla b/ansible/inventory/group_vars/all/kolla index 6ee4fe3df..218dc4f6f 100644 --- a/ansible/inventory/group_vars/all/kolla +++ b/ansible/inventory/group_vars/all/kolla @@ -590,9 +590,15 @@ kolla_ansible_default_custom_passwords: >- if compute_libvirt_enabled | bool and compute_libvirt_enable_sasl | bool else {}) }} +# Dictionary containing extra custom passwords to add or override in the Kolla +# passwords file. +kolla_ansible_extra_custom_passwords: {} + # Dictionary containing custom passwords to add or override in the Kolla # passwords file. -kolla_ansible_custom_passwords: "{{ kolla_ansible_default_custom_passwords }}" +kolla_ansible_custom_passwords: >- + {{ kolla_ansible_default_custom_passwords | + combine(kolla_ansible_extra_custom_passwords) }} ############################################################################### # OpenStack API addresses. diff --git a/doc/source/configuration/reference/kolla-ansible.rst b/doc/source/configuration/reference/kolla-ansible.rst index 27f9f638f..f9281fabc 100644 --- a/doc/source/configuration/reference/kolla-ansible.rst +++ b/doc/source/configuration/reference/kolla-ansible.rst @@ -578,27 +578,35 @@ variable, if present. The file is generated to ``$KAYOBE_CONFIG_PATH/kolla/passwords.yml``, and should be stored along with other Kayobe configuration files. This file should not be manually modified. -``kolla_ansible_custom_passwords`` - Dictionary containing custom passwords to add or override in the Kolla - passwords file. Default is ``{{ kolla_ansible_default_custom_passwords - }}``, which contains SSH keys for use by Kolla Ansible and Bifrost. - Configuring Custom Passwords ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -In order to write additional passwords to ``passwords.yml``, set the kayobe -variable ``kolla_ansible_custom_passwords`` in -``$KAYOBE_CONFIG_PATH/kolla.yml``. +The following variables are used to configure custom passwords: + +* ``kolla_ansible_default_custom_passwords``: Dictionary containing default + custom passwords, required by Kolla Ansible. Contains SSH keys authorized by + kolla user on Kolla hosts, SSH keys authorized in hosts deployed by Bifrost, + Docker Registry password and compute libVirt custom passwords. +* ``kolla_ansible_extra_custom_passwords``: Dictionary containing extra custom + passwords to add or override in the Kolla passwords file. Default is an empty + dictionary. +* ``kolla_ansible_custom_passwords``: Dictionary containing custom passwords to + add or override in the Kolla passwords file. Default is the combination of + the ``kolla_ansible_default_custom_passwords`` and + ``kolla_ansible_extra_custom_passwords``. + +In this example we add our own ``my_custom_password`` and override +``keystone_admin_password``: .. code-block:: yaml :caption: ``$KAYOBE_CONFIG_PATH/kolla.yml`` --- - # Dictionary containing custom passwords to add or override in the Kolla - # passwords file. - kolla_ansible_custom_passwords: > - {{ kolla_ansible_default_custom_passwords | - combine({'my_custom_password': 'correcthorsebatterystaple'}) }} + # Dictionary containing extra custom passwords to add or override in the + # Kolla passwords file. + kolla_ansible_extra_custom_passwords: + my_custom_password: 'correcthorsebatterystaple' + keystone_admin_password: 'superduperstrongpassword' Control Plane Services ====================== diff --git a/etc/kayobe/kolla.yml b/etc/kayobe/kolla.yml index 9ed9e6534..2a4666d83 100644 --- a/etc/kayobe/kolla.yml +++ b/etc/kayobe/kolla.yml @@ -441,6 +441,10 @@ # Kolla passwords file. #kolla_ansible_default_custom_passwords: +# Dictionary containing extra custom passwords to add or override in the Kolla +# passwords file. +#kolla_ansible_extra_custom_passwords: + # Dictionary containing custom passwords to add or override in the Kolla # passwords file. #kolla_ansible_custom_passwords: diff --git a/releasenotes/notes/kolla-passwords-overrides-065fd6bb8eb9689d.yaml b/releasenotes/notes/kolla-passwords-overrides-065fd6bb8eb9689d.yaml new file mode 100644 index 000000000..adc5318e7 --- /dev/null +++ b/releasenotes/notes/kolla-passwords-overrides-065fd6bb8eb9689d.yaml @@ -0,0 +1,14 @@ +--- +fixes: + - | + Fixes an issue when user forgot to combine + ``kolla_ansible_custom_passwords``, + ``kolla_ansible_default_custom_passwords`` and own dictionary with custom + passwords in configuration files. Now + ``kolla_ansible_extra_custom_passwords`` should provide only user custom + passwords to add or override in the passwords.yml. +upgrade: + - | + Now no need to combine ``kolla_ansible_default_custom_passwords`` and + ``kolla_ansible_custom_passwords`` in your custom configuration. Just use + ``kolla_ansible_extra_custom_passwords`` to add or override passwords. From 5bb5d076c9a35c7d3763973d1197fea5840f86cc Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Tue, 20 Dec 2022 10:54:49 +0000 Subject: [PATCH 2/4] Fix setting kolla_admin_openrc_cacert Kolla Ansible renamed kolla_internal_fqdn_cacert to kolla_admin_openrc_cacert in Victoria, after which we no longer set the variable correctly in globals.yml. This would lead to a missing OS_CACERT in admin-openrc.sh and public-openrc.sh. This change fixes the issue by renaming the relevant Kayobe variables to match and passing through the correct variable. Backwards compatibility is provided until the end of the deprecation period. kolla_public_openrc_cacert -> kolla_external_fqdn_cacert kolla_admin_openrc_cacert -> kolla_internal_fqdn_cacert Story: 2010486 Task: 47054 Change-Id: I9e1cc20579cf80525d6ef732a1aac99a65bc171b Co-Authored-By: Maksim Malchuk (cherry picked from commit 95729405a38e6292a828c26347406e70132136b2) --- ansible/inventory/group_vars/all/kolla | 4 ++-- ansible/roles/kolla-ansible/defaults/main.yml | 4 ++-- .../kolla-ansible/templates/kolla/globals.yml | 3 +-- .../roles/kolla-ansible/tests/test-extras.yml | 2 ++ .../templates/public-openrc.sh.j2 | 4 ++-- .../configuration/reference/kolla-ansible.rst | 22 +++++++++++-------- etc/kayobe/kolla.yml | 4 ++-- ...eprecate-fqdn-cacert-301d5a26ed7107ab.yaml | 13 +++++++++++ 8 files changed, 37 insertions(+), 19 deletions(-) create mode 100644 releasenotes/notes/deprecate-fqdn-cacert-301d5a26ed7107ab.yaml diff --git a/ansible/inventory/group_vars/all/kolla b/ansible/inventory/group_vars/all/kolla index 6ee4fe3df..e336c1f27 100644 --- a/ansible/inventory/group_vars/all/kolla +++ b/ansible/inventory/group_vars/all/kolla @@ -629,7 +629,7 @@ kolla_external_tls_cert: # Path to a CA certificate file to use for the OS_CACERT environment variable # in public-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's # default. -kolla_external_fqdn_cacert: +kolla_public_openrc_cacert: "{{ kolla_external_fqdn_cacert | default }}" # Internal API certificate bundle. # @@ -642,7 +642,7 @@ kolla_internal_tls_cert: # Path to a CA certificate file to use for the OS_CACERT environment variable # in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's # default. -kolla_internal_fqdn_cacert: +kolla_admin_openrc_cacert: "{{ kolla_internal_fqdn_cacert | default }}" ############################################################################### # Proxy configuration diff --git a/ansible/roles/kolla-ansible/defaults/main.yml b/ansible/roles/kolla-ansible/defaults/main.yml index 97a53eec9..309d3b79f 100644 --- a/ansible/roles/kolla-ansible/defaults/main.yml +++ b/ansible/roles/kolla-ansible/defaults/main.yml @@ -165,8 +165,8 @@ kolla_enable_tls_external: kolla_enable_tls_internal: kolla_external_fqdn_cert: kolla_internal_fqdn_cert: -kolla_external_fqdn_cacert: -kolla_internal_fqdn_cacert: +kolla_public_openrc_cacert: +kolla_admin_openrc_cacert: ############################# # Ironic options diff --git a/ansible/roles/kolla-ansible/templates/kolla/globals.yml b/ansible/roles/kolla-ansible/templates/kolla/globals.yml index f7c370236..8b0a704d0 100644 --- a/ansible/roles/kolla-ansible/templates/kolla/globals.yml +++ b/ansible/roles/kolla-ansible/templates/kolla/globals.yml @@ -206,8 +206,7 @@ kolla_external_fqdn_cert: "{{ kolla_external_fqdn_cert }}" {% if kolla_internal_tls_cert is not none and kolla_internal_tls_cert | length > 0 %} kolla_internal_fqdn_cert: "{{ kolla_internal_fqdn_cert }}" {% endif %} -kolla_external_fqdn_cacert: "{{ kolla_external_fqdn_cacert }}" -kolla_internal_fqdn_cacert: "{{ kolla_internal_fqdn_cacert }}" +kolla_admin_openrc_cacert: "{{ kolla_admin_openrc_cacert }}" ################ # Region options diff --git a/ansible/roles/kolla-ansible/tests/test-extras.yml b/ansible/roles/kolla-ansible/tests/test-extras.yml index e3d1d6a96..44502c8a2 100644 --- a/ansible/roles/kolla-ansible/tests/test-extras.yml +++ b/ansible/roles/kolla-ansible/tests/test-extras.yml @@ -121,6 +121,7 @@ kolla_internal_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/internal.pem" kolla_internal_tls_cert: | bogus internal certificate + kolla_admin_openrc_cacert: "{{ temp_path }}/etc/kolla/certificates/ca/foo.crt" kolla_openstack_logging_debug: True grafana_local_admin_user_name: "grafana-admin" kolla_inspector_dhcp_pool_start: "1.2.3.4" @@ -240,6 +241,7 @@ kolla_external_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/external.pem" kolla_enable_tls_internal: True kolla_internal_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/internal.pem" + kolla_admin_openrc_cacert: "{{ temp_path }}/etc/kolla/certificates/ca/foo.crt" openstack_logging_debug: True grafana_admin_username: "grafana-admin" ironic_dnsmasq_dhcp_ranges: diff --git a/ansible/roles/public-openrc/templates/public-openrc.sh.j2 b/ansible/roles/public-openrc/templates/public-openrc.sh.j2 index d0356e800..1c2dd179c 100644 --- a/ansible/roles/public-openrc/templates/public-openrc.sh.j2 +++ b/ansible/roles/public-openrc/templates/public-openrc.sh.j2 @@ -11,8 +11,8 @@ export OS_ENDPOINT_TYPE=publicURL export OS_MANILA_ENDPOINT_TYPE=publicURL {% elif "export OS_MISTRAL_ENDPOINT_TYPE" in line %} export OS_MISTRAL_ENDPOINT_TYPE=publicURL -{% elif "export OS_CACERT" in line and kolla_external_fqdn_cacert is not none %} -export OS_CACERT={{ kolla_external_fqdn_cacert }} +{% elif "export OS_CACERT" in line and kolla_public_openrc_cacert is not none %} +export OS_CACERT={{ kolla_public_openrc_cacert }} {% else %} {{ line }} {% endif %} diff --git a/doc/source/configuration/reference/kolla-ansible.rst b/doc/source/configuration/reference/kolla-ansible.rst index 27f9f638f..faa854bbf 100644 --- a/doc/source/configuration/reference/kolla-ansible.rst +++ b/doc/source/configuration/reference/kolla-ansible.rst @@ -268,10 +268,6 @@ The following variables affect TLS encryption of the public API. A TLS certificate bundle to use for the public API endpoints, if ``kolla_enable_tls_external`` is ``true``. Note that this should be formatted as a literal style block scalar. -``kolla_external_fqdn_cacert`` - Path to a CA certificate file to use for the ``OS_CACERT`` environment - variable in openrc files when TLS is enabled, instead of Kolla Ansible's - default. The following variables affect TLS encryption of the internal API. Currently this requires all Kolla images to be built with the API's root CA trusted. @@ -282,10 +278,18 @@ this requires all Kolla images to be built with the API's root CA trusted. A TLS certificate bundle to use for the internal API endpoints, if ``kolla_enable_tls_internal`` is ``true``. Note that this should be formatted as a literal style block scalar. -``kolla_internal_fqdn_cacert`` + +The following variables affect the generated ``admin-openrc.sh`` and +``public-openrc.sh`` environment files. + +``kolla_public_openrc_cacert`` + Path to a CA certificate file to use for the ``OS_CACERT`` environment + variable in the ``public-openrc.sh`` file when TLS is enabled, instead of + ``kolla_admin_openrc_cacert``. +``kolla_admin_openrc_cacert`` Path to a CA certificate file to use for the ``OS_CACERT`` environment - variable in openrc files when TLS is enabled, instead of Kolla Ansible's - default. + variable in the ``admin-openrc.sh`` and ``public-openrc.sh`` files when TLS + is enabled, instead of Kolla Ansible's default. Example: enabling TLS for the public API ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -302,7 +306,7 @@ Here is an example: -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- - kolla_external_fqdn_cacert: /path/to/ca/certificate/bundle + kolla_admin_openrc_cacert: /path/to/ca/certificate/bundle Example: enabling TLS for the internal API ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -319,7 +323,7 @@ Here is an example: -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- - kolla_internal_fqdn_cacert: /path/to/ca/certificate/bundle + kolla_admin_openrc_cacert: /path/to/ca/certificate/bundle Other certificates ------------------ diff --git a/etc/kayobe/kolla.yml b/etc/kayobe/kolla.yml index 9ed9e6534..df6fc2368 100644 --- a/etc/kayobe/kolla.yml +++ b/etc/kayobe/kolla.yml @@ -480,7 +480,7 @@ # Path to a CA certificate file to use for the OS_CACERT environment variable # in public-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's # default. -#kolla_external_fqdn_cacert: +#kolla_public_openrc_cacert: # Internal API certificate bundle. # @@ -493,7 +493,7 @@ # Path to a CA certificate file to use for the OS_CACERT environment variable # in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's # default. -#kolla_internal_fqdn_cacert: +#kolla_admin_openrc_cacert: ############################################################################### # Proxy configuration diff --git a/releasenotes/notes/deprecate-fqdn-cacert-301d5a26ed7107ab.yaml b/releasenotes/notes/deprecate-fqdn-cacert-301d5a26ed7107ab.yaml new file mode 100644 index 000000000..d892cac43 --- /dev/null +++ b/releasenotes/notes/deprecate-fqdn-cacert-301d5a26ed7107ab.yaml @@ -0,0 +1,13 @@ +--- +deprecates: + - | + Renames ``kolla_external_fqdn_cacert`` to ``kolla_public_openrc_cacert`` + and ``kolla_internal_fqdn_cacert`` to ``kolla_admin_openrc_cacert``. This + matches the Kolla Ansible variable name and better reflects their purpose. + The old variable names are still supported until the end of the deprecation + period (2024.2 "D" series release or later). +fixes: + - | + Fixes an issue where the Kolla Ansible variable + ``kolla_admin_openrc_cacert`` was not set to the value of + ``kolla_internal_fqdn_cacert``. From c903d93d3454bbd139abc230b0937981386bf2e9 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 12 Jan 2023 14:15:11 +0000 Subject: [PATCH 3/4] Generate local Kolla Ansible config in check mode If running a command in check mode such as kayobe overcloud service deploy --check Kayobe does not generate the local configuration for Kolla Ansible. This can lead to an inaccurate result when comparing with the remote configuration, if there are changes in kayobe-config. For example: * Run kayobe overcloud service deploy * Change a file in etc/kayobe/kolla * Run kayobe overcloud service deploy --check --diff We would expect that the changed file results in a diff against the remote config. However there is no diff displayed. This change fixes the issue by always generating the local Kolla Ansible config, even in check mode. Change-Id: Ic1dd075076ea186b0928bba1a235605c0cd2ec71 Story: 2010526 Task: 47132 (cherry picked from commit 2c0f705e7acab5691591c215e40dea707d12da15) --- kayobe/cli/commands.py | 10 ++--- kayobe/tests/unit/cli/test_commands.py | 37 +++++++++++++++++-- ...ck-mode-local-config-3f8a4ba231a32c1f.yaml | 7 ++++ 3 files changed, 46 insertions(+), 8 deletions(-) create mode 100644 releasenotes/notes/check-mode-local-config-3f8a4ba231a32c1f.yaml diff --git a/kayobe/cli/commands.py b/kayobe/cli/commands.py index b7c2a9ab6..ee3879c5b 100644 --- a/kayobe/cli/commands.py +++ b/kayobe/cli/commands.py @@ -105,15 +105,15 @@ def generate_kolla_ansible_config(self, parsed_args, install=False, tags = None if install else "config" playbooks = _build_playbook_list("kolla-ansible") self.run_kayobe_playbooks(parsed_args, playbooks, tags=tags, - ignore_limit=True) + ignore_limit=True, check=False) if service_config: playbooks = _build_playbook_list("kolla-openstack") self.run_kayobe_playbooks(parsed_args, playbooks, - ignore_limit=True) + ignore_limit=True, check=False) if bifrost_config: playbooks = _build_playbook_list("kolla-bifrost") self.run_kayobe_playbooks(parsed_args, playbooks, - ignore_limit=True) + ignore_limit=True, check=False) class KollaAnsibleMixin(object): @@ -261,7 +261,7 @@ def take_action(self, parsed_args): ka_tags = "install" playbooks = _build_playbook_list("kolla-ansible") self.run_kayobe_playbooks(parsed_args, playbooks, tags=ka_tags, - ignore_limit=True) + ignore_limit=True, check=False) if passwords_exist: # If we are bootstrapping a control host for an existing @@ -301,7 +301,7 @@ def take_action(self, parsed_args): self.run_kayobe_playbooks(parsed_args, playbooks, ignore_limit=True) playbooks = _build_playbook_list("kolla-ansible") self.run_kayobe_playbooks(parsed_args, playbooks, tags="install", - ignore_limit=True) + ignore_limit=True, check=False) class ConfigurationDump(KayobeAnsibleMixin, VaultMixin, Command): diff --git a/kayobe/tests/unit/cli/test_commands.py b/kayobe/tests/unit/cli/test_commands.py index 418486fab..7be5f487e 100644 --- a/kayobe/tests/unit/cli/test_commands.py +++ b/kayobe/tests/unit/cli/test_commands.py @@ -62,7 +62,8 @@ def test_control_host_bootstrap(self, mock_run, mock_passwords, mock.ANY, [utils.get_data_files_path("ansible", "kolla-ansible.yml")], tags="install", - ignore_limit=True + ignore_limit=True, + check=False, ), ] self.assertListEqual(expected_calls, mock_run.call_args_list) @@ -95,7 +96,8 @@ def test_control_host_bootstrap_with_passwords( mock.ANY, [utils.get_data_files_path("ansible", "kolla-ansible.yml")], tags=None, - ignore_limit=True + ignore_limit=True, + check=False, ), mock.call( mock.ANY, @@ -140,7 +142,8 @@ def test_control_host_upgrade(self, mock_run, mock_prune, mock.ANY, [utils.get_data_files_path("ansible", "kolla-ansible.yml")], tags="install", - ignore_limit=True + ignore_limit=True, + check=False, ), ] self.assertListEqual(expected_calls, mock_run.call_args_list) @@ -511,6 +514,7 @@ def test_seed_host_configure(self, mock_kolla_run, mock_run): [utils.get_data_files_path("ansible", "kolla-ansible.yml")], tags="config", ignore_limit=True, + check=False, ), mock.call( mock.ANY, @@ -571,6 +575,7 @@ def test_seed_host_configure_wipe_disks(self, mock_kolla_run, mock_run): [utils.get_data_files_path("ansible", "kolla-ansible.yml")], tags="config", ignore_limit=True, + check=False, ), mock.call( mock.ANY, @@ -874,11 +879,13 @@ def test_seed_service_deploy(self, mock_kolla_run, mock_run): [utils.get_data_files_path("ansible", "kolla-ansible.yml")], tags="config", ignore_limit=True, + check=False, ), mock.call( mock.ANY, [utils.get_data_files_path("ansible", "kolla-bifrost.yml")], ignore_limit=True, + check=False, ), mock.call( mock.ANY, @@ -924,11 +931,13 @@ def test_seed_service_upgrade(self, mock_kolla_run, mock_run): [utils.get_data_files_path("ansible", "kolla-ansible.yml")], tags="config", ignore_limit=True, + check=False, ), mock.call( mock.ANY, [utils.get_data_files_path("ansible", "kolla-bifrost.yml")], ignore_limit=True, + check=False, ), mock.call( mock.ANY, @@ -1183,6 +1192,7 @@ def test_overcloud_inventory_discover(self, mock_run_one, mock_run): [utils.get_data_files_path("ansible", "kolla-ansible.yml")], tags="config", ignore_limit=True, + check=False, ), ] self.assertListEqual(expected_calls, mock_run.call_args_list) @@ -1281,6 +1291,7 @@ def test_overcloud_facts_gather(self, mock_kolla_run, mock_run): [utils.get_data_files_path("ansible", "kolla-ansible.yml")], tags="config", ignore_limit=True, + check=False, ), ] self.assertListEqual(expected_calls, mock_run.call_args_list) @@ -1324,6 +1335,7 @@ def test_overcloud_host_configure(self, mock_kolla_run, mock_run): [utils.get_data_files_path("ansible", "kolla-ansible.yml")], tags="config", ignore_limit=True, + check=False, ), mock.call( mock.ANY, @@ -1380,6 +1392,7 @@ def test_overcloud_host_configure_wipe_disks(self, mock_kolla_run, [utils.get_data_files_path("ansible", "kolla-ansible.yml")], tags="config", ignore_limit=True, + check=False, ), mock.call( mock.ANY, @@ -1546,6 +1559,7 @@ def test_overcloud_database_backup(self, mock_kolla_run, mock_run): [utils.get_data_files_path("ansible", "kolla-ansible.yml")], tags="config", ignore_limit=True, + check=False, ), ] self.assertListEqual(expected_calls, mock_run.call_args_list) @@ -1577,6 +1591,7 @@ def test_overcloud_database_backup_incremental(self, mock_kolla_run, [utils.get_data_files_path("ansible", "kolla-ansible.yml")], tags="config", ignore_limit=True, + check=False, ), ] self.assertListEqual(expected_calls, mock_run.call_args_list) @@ -1607,6 +1622,7 @@ def test_overcloud_database_recover(self, mock_kolla_run, mock_run): [utils.get_data_files_path("ansible", "kolla-ansible.yml")], tags="config", ignore_limit=True, + check=False, ), mock.call( mock.ANY, @@ -1615,6 +1631,7 @@ def test_overcloud_database_recover(self, mock_kolla_run, mock_run): "kolla-openstack.yml"), ], ignore_limit=True, + check=False, ), ] self.assertListEqual(expected_calls, mock_run.call_args_list) @@ -1646,6 +1663,7 @@ def test_overcloud_database_recover_force_host(self, mock_kolla_run, [utils.get_data_files_path("ansible", "kolla-ansible.yml")], tags="config", ignore_limit=True, + check=False, ), mock.call( mock.ANY, @@ -1654,6 +1672,7 @@ def test_overcloud_database_recover_force_host(self, mock_kolla_run, "kolla-openstack.yml"), ], ignore_limit=True, + check=False, ), ] self.assertListEqual(expected_calls, mock_run.call_args_list) @@ -1707,6 +1726,7 @@ def test_overcloud_service_deploy(self, mock_kolla_run, mock_run): [utils.get_data_files_path("ansible", "kolla-ansible.yml")], ignore_limit=True, tags="config", + check=False, ), mock.call( mock.ANY, @@ -1715,6 +1735,7 @@ def test_overcloud_service_deploy(self, mock_kolla_run, mock_run): "kolla-openstack.yml"), ], ignore_limit=True, + check=False, ), mock.call( mock.ANY, @@ -1772,6 +1793,7 @@ def test_overcloud_service_deploy_containers(self, mock_kolla_run, [utils.get_data_files_path("ansible", "kolla-ansible.yml")], ignore_limit=True, tags="config", + check=False, ), mock.call( mock.ANY, @@ -1780,6 +1802,7 @@ def test_overcloud_service_deploy_containers(self, mock_kolla_run, "kolla-openstack.yml"), ], ignore_limit=True, + check=False, ), mock.call( mock.ANY, @@ -1825,6 +1848,7 @@ def test_overcloud_service_prechecks(self, mock_kolla_run, mock_run): [utils.get_data_files_path("ansible", "kolla-ansible.yml")], ignore_limit=True, tags="config", + check=False, ), mock.call( mock.ANY, @@ -1833,6 +1857,7 @@ def test_overcloud_service_prechecks(self, mock_kolla_run, mock_run): "kolla-openstack.yml"), ], ignore_limit=True, + check=False, ), ] self.assertListEqual(expected_calls, mock_run.call_args_list) @@ -1863,6 +1888,7 @@ def test_overcloud_service_reconfigure(self, mock_kolla_run, mock_run): [utils.get_data_files_path("ansible", "kolla-ansible.yml")], ignore_limit=True, tags="config", + check=False, ), mock.call( mock.ANY, @@ -1871,6 +1897,7 @@ def test_overcloud_service_reconfigure(self, mock_kolla_run, mock_run): "kolla-openstack.yml"), ], ignore_limit=True, + check=False, ), mock.call( mock.ANY, @@ -1927,6 +1954,7 @@ def test_overcloud_service_stop(self, mock_kolla_run, mock_run): [utils.get_data_files_path("ansible", "kolla-ansible.yml")], ignore_limit=True, tags="config", + check=False, ), mock.call( mock.ANY, @@ -1935,6 +1963,7 @@ def test_overcloud_service_stop(self, mock_kolla_run, mock_run): "kolla-openstack.yml"), ], ignore_limit=True, + check=False, ), mock.call( mock.ANY, @@ -1991,6 +2020,7 @@ def test_overcloud_service_upgrade(self, mock_kolla_run, mock_run): [utils.get_data_files_path("ansible", "kolla-ansible.yml")], ignore_limit=True, tags=None, + check=False, ), mock.call( mock.ANY, @@ -1999,6 +2029,7 @@ def test_overcloud_service_upgrade(self, mock_kolla_run, mock_run): "kolla-openstack.yml"), ], ignore_limit=True, + check=False, ), mock.call( mock.ANY, diff --git a/releasenotes/notes/check-mode-local-config-3f8a4ba231a32c1f.yaml b/releasenotes/notes/check-mode-local-config-3f8a4ba231a32c1f.yaml new file mode 100644 index 000000000..fba1aa222 --- /dev/null +++ b/releasenotes/notes/check-mode-local-config-3f8a4ba231a32c1f.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + Fixes an issue where local configuration generation would be skipped when + running in check mode. This would lead to Kolla Ansible checking with stale + configuration. See `story 2010526 + `__ for details. From 22307eb73e97833c25521fda5ff8fc6f173116ad Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Fri, 17 Nov 2023 13:23:36 +0100 Subject: [PATCH 4/4] Disable configuration of SELinux by Kolla Ansible When using the default configuration, bootstrapping servers with Kolla Ansible would revert SELinux from permissive to disabled. Change-Id: I8ad027384d9d062fdd363b10fd7bcebe22d775e0 --- ansible/kolla-ansible.yml | 7 ------- ansible/roles/kolla-ansible/defaults/main.yml | 6 ------ ansible/roles/kolla-ansible/templates/kolla/globals.yml | 6 +++--- .../notes/disable-kolla-selinux-71f76e63776e0aed.yaml | 5 +++++ 4 files changed, 8 insertions(+), 16 deletions(-) create mode 100644 releasenotes/notes/disable-kolla-selinux-71f76e63776e0aed.yaml diff --git a/ansible/kolla-ansible.yml b/ansible/kolla-ansible.yml index a469e474d..ccff7c2b0 100644 --- a/ansible/kolla-ansible.yml +++ b/ansible/kolla-ansible.yml @@ -91,13 +91,6 @@ kolla_ansible_passwords_path: "{{ kayobe_env_config_path }}/kolla/passwords.yml" kolla_overcloud_group_vars_path: "{{ kayobe_env_config_path }}/kolla/inventory/group_vars" kolla_ansible_certificates_path: "{{ kayobe_env_config_path }}/kolla/certificates" - # NOTE: This differs from the default SELinux mode in kolla ansible, - # which is permissive. The justification for using this mode is twofold: - # 1. it avoids filling up the audit log - # 2. it avoids an issue seen when using diskimage-builder in the bifrost - # container. - # We could look at making the SELinux mode configurable in future. - kolla_selinux_state: disabled kolla_inspector_dhcp_pool_start: "{{ inspection_net_name | net_inspection_allocation_pool_start }}" kolla_inspector_dhcp_pool_end: "{{ inspection_net_name | net_inspection_allocation_pool_end }}" kolla_inspector_netmask: "{{ inspection_net_name | net_mask }}" diff --git a/ansible/roles/kolla-ansible/defaults/main.yml b/ansible/roles/kolla-ansible/defaults/main.yml index 309d3b79f..dd2af4a88 100644 --- a/ansible/roles/kolla-ansible/defaults/main.yml +++ b/ansible/roles/kolla-ansible/defaults/main.yml @@ -274,12 +274,6 @@ kolla_ansible_custom_passwords: {} kolla_external_tls_cert: kolla_internal_tls_cert: -############################################################################### -# SELinux - -# Desired SELinux state. -kolla_selinux_state: - ############################################################################### # NTP diff --git a/ansible/roles/kolla-ansible/templates/kolla/globals.yml b/ansible/roles/kolla-ansible/templates/kolla/globals.yml index 8b0a704d0..7b590b578 100644 --- a/ansible/roles/kolla-ansible/templates/kolla/globals.yml +++ b/ansible/roles/kolla-ansible/templates/kolla/globals.yml @@ -538,9 +538,9 @@ grafana_admin_username: "{{ grafana_local_admin_user_name }}" # Bootstrap-servers - Host Configuration ######################################### -{% if kolla_selinux_state is not none %} -selinux_state: {{ kolla_selinux_state }} -{% endif %} +# Kayobe performs configuration of SELinux, so there is no need for Kolla +# Ansible to repeat this. +change_selinux: false {% if kolla_enable_host_ntp is not none %} enable_host_ntp: {{ kolla_enable_host_ntp | bool }} diff --git a/releasenotes/notes/disable-kolla-selinux-71f76e63776e0aed.yaml b/releasenotes/notes/disable-kolla-selinux-71f76e63776e0aed.yaml new file mode 100644 index 000000000..b6adcd28e --- /dev/null +++ b/releasenotes/notes/disable-kolla-selinux-71f76e63776e0aed.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Disables configuration of SELinux by Kolla Ansible, which could revert + configuration set by Kayobe.