From 53248515858f09fe71704ac226039510b3db0d02 Mon Sep 17 00:00:00 2001 From: k-s-dean Date: Tue, 19 Jul 2022 16:40:35 +0100 Subject: [PATCH 1/4] Add support for firewalld on Ubuntu Enables the installation and configuration of firewalld on Ubuntu systems. Change-Id: I4a97a2aeed277be672e15e5c7727b810e11d3c42 Story: 2010160 Task: 45818 (cherry picked from commit 6990a041c77c0b21b681b4f721b2cf55209b3eea) --- ansible/firewall.yml | 7 +++---- .../defaults/main.yml | 0 .../handlers/main.yml | 0 .../tasks/disabled.yml | 0 .../tasks/enabled.yml | 0 .../{firewall-redhat => firewalld}/tasks/main.yml | 0 doc/source/configuration/reference/hosts.rst | 7 +++---- .../overrides.yml.j2 | 2 +- .../tests/test_overcloud_host_configure.py | 13 ++----------- .../add-support-for-firewalld-4387151a727bf8bb.yaml | 5 +++++ 10 files changed, 14 insertions(+), 20 deletions(-) rename ansible/roles/{firewall-redhat => firewalld}/defaults/main.yml (100%) rename ansible/roles/{firewall-redhat => firewalld}/handlers/main.yml (100%) rename ansible/roles/{firewall-redhat => firewalld}/tasks/disabled.yml (100%) rename ansible/roles/{firewall-redhat => firewalld}/tasks/enabled.yml (100%) rename ansible/roles/{firewall-redhat => firewalld}/tasks/main.yml (100%) create mode 100644 releasenotes/notes/add-support-for-firewalld-4387151a727bf8bb.yaml diff --git a/ansible/firewall.yml b/ansible/firewall.yml index c133fb011..935328db9 100644 --- a/ansible/firewall.yml +++ b/ansible/firewall.yml @@ -5,8 +5,7 @@ - config - firewall tasks: - - name: Configure the firewall + - name: Configure firewalld include_role: - name: "firewall-{{ ansible_facts.os_family | lower }}" - when: - - ansible_facts.os_family == 'RedHat' + name: "firewalld" + diff --git a/ansible/roles/firewall-redhat/defaults/main.yml b/ansible/roles/firewalld/defaults/main.yml similarity index 100% rename from ansible/roles/firewall-redhat/defaults/main.yml rename to ansible/roles/firewalld/defaults/main.yml diff --git a/ansible/roles/firewall-redhat/handlers/main.yml b/ansible/roles/firewalld/handlers/main.yml similarity index 100% rename from ansible/roles/firewall-redhat/handlers/main.yml rename to ansible/roles/firewalld/handlers/main.yml diff --git a/ansible/roles/firewall-redhat/tasks/disabled.yml b/ansible/roles/firewalld/tasks/disabled.yml similarity index 100% rename from ansible/roles/firewall-redhat/tasks/disabled.yml rename to ansible/roles/firewalld/tasks/disabled.yml diff --git a/ansible/roles/firewall-redhat/tasks/enabled.yml b/ansible/roles/firewalld/tasks/enabled.yml similarity index 100% rename from ansible/roles/firewall-redhat/tasks/enabled.yml rename to ansible/roles/firewalld/tasks/enabled.yml diff --git a/ansible/roles/firewall-redhat/tasks/main.yml b/ansible/roles/firewalld/tasks/main.yml similarity index 100% rename from ansible/roles/firewall-redhat/tasks/main.yml rename to ansible/roles/firewalld/tasks/main.yml diff --git a/doc/source/configuration/reference/hosts.rst b/doc/source/configuration/reference/hosts.rst index 0451a3838..81ff252f7 100644 --- a/doc/source/configuration/reference/hosts.rst +++ b/doc/source/configuration/reference/hosts.rst @@ -468,12 +468,11 @@ Firewalld *tags:* | ``firewall`` -.. note:: Firewalld is supported on CentOS and Rocky systems only. Currently no - firewall is supported on Ubuntu. - -Firewalld can be used to provide a firewall on CentOS/Rocky systems. Since the +Firewalld can be used to provide a firewall on supported systems. Since the Xena release, Kayobe provides support for enabling or disabling firewalld, as well as defining zones and rules. +Since the Zed 13.0.0 release, Kayobe added support for configuring firewalld on +Ubuntu systems. The following variables can be used to set whether to enable firewalld: diff --git a/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 index fed315141..c5ecefdb8 100644 --- a/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 +++ b/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 @@ -170,7 +170,7 @@ chrony_ntp_servers: - option: maxsources val: 2 -# Enable firewalld (CentOS only). +# Enable firewalld controller_firewalld_enabled: true controller_firewalld_zones: - zone: test-zone1 diff --git a/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py b/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py index f9582e155..d2ff5c5aa 100644 --- a/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py +++ b/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py @@ -11,11 +11,6 @@ import pytest -def _is_firewalld_supported(): - info = distro.id() - return info in ['centos', 'rocky'] - - def _is_apt(): info = distro.linux_distribution() return info[0].startswith('Ubuntu') @@ -25,10 +20,12 @@ def _is_dnf(): info = distro.id() return info in ['centos', 'rocky'] + def _is_dnf_mirror(): info = distro.id() return info == 'centos' + def test_network_ethernet(host): interface = host.interface('dummy2') assert interface.exists @@ -241,16 +238,12 @@ def test_tuned_profile_is_active(host): assert "throughput-performance" in tuned_output -@pytest.mark.skipif(not _is_firewalld_supported(), - reason="Firewalld only supported on CentOS and Rocky") def test_firewalld_running(host): assert host.package("firewalld").is_installed assert host.service("firewalld.service").is_enabled assert host.service("firewalld.service").is_running -@pytest.mark.skipif(not _is_firewalld_supported(), - reason="Firewalld only supported on CentOS and Rocky") def test_firewalld_zones(host): # Verify that interfaces are on correct zones. expected_zones = { @@ -272,8 +265,6 @@ def test_firewalld_zones(host): assert zone == expected_zone -@pytest.mark.skipif(not _is_firewalld_supported(), - reason="Firewalld only supported on CentOS and Rocky") def test_firewalld_rules(host): # Verify that expected rules are present. expected_info = { diff --git a/releasenotes/notes/add-support-for-firewalld-4387151a727bf8bb.yaml b/releasenotes/notes/add-support-for-firewalld-4387151a727bf8bb.yaml new file mode 100644 index 000000000..488e69bdd --- /dev/null +++ b/releasenotes/notes/add-support-for-firewalld-4387151a727bf8bb.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Adds support for configuring a firewall via firewalld on Ubuntu. See `story + 2010160 `__ for details. From 0ff1f8c5f9a350c14566721fc2834f701599e6a3 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Tue, 2 Aug 2022 10:18:30 +0100 Subject: [PATCH 2/4] Support authentication in Bifrost * Switch from python-ironic-inspector-client to openstacksdk in ironic-inspector-rules. This allows us to use clouds.yaml to provide credentials. * Enable authentication in Bifrost. Passwords are auto-generated by Bifrost, and stored files in /root/.config/bifrost/. This change depends on a Kolla Ansible patch that ensures that these credentials are persisted between recreations of the bifrost container. * Copy clouds.yaml and (if present) a CA certificate from the Bifrost container to the seed host, under the Kayobe Ansible user (stack). This allows us to use the credentials to register introspection rules. * This patch is needed by a Kolla Ansible patch that enables TLS in Bifrost, since we need the CA certificate on the host to register introspection rules when TLS is enabled. Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/851837 Needed-By: https://review.opendev.org/c/openstack/kolla-ansible/+/851838 Story: 2010206 Task: 45930 Change-Id: I757f1bb72afb01a4f1689bed292f5b71b9048fa0 (cherry picked from commit 32a82ea039cd6b13223c66f9119d8d80931abf63) --- ansible/overcloud-provision.yml | 1 - .../roles/ironic-inspector-rules/README.md | 3 +- .../ironic-inspector-rules/defaults/main.yml | 6 +- .../library/os_ironic_inspector_rule.py | 61 +++++++------------ .../ironic-inspector-rules/tasks/main.yml | 12 +--- .../kolla/config/bifrost/bifrost.yml | 3 - ansible/seed-credentials.yml | 45 ++++++++++++++ ansible/seed-introspection-rules.yml | 5 +- kayobe/cli/commands.py | 2 + kayobe/tests/unit/cli/test_commands.py | 4 ++ .../seed-clouds-yaml-cbaf1961c5f8ceb0.yaml | 9 +++ 11 files changed, 88 insertions(+), 63 deletions(-) create mode 100644 ansible/seed-credentials.yml create mode 100644 releasenotes/notes/seed-clouds-yaml-cbaf1961c5f8ceb0.yaml diff --git a/ansible/overcloud-provision.yml b/ansible/overcloud-provision.yml index e3a8590a8..d1536de30 100644 --- a/ansible/overcloud-provision.yml +++ b/ansible/overcloud-provision.yml @@ -143,7 +143,6 @@ bash -c ' export OS_CLOUD=bifrost && export BIFROST_INVENTORY_SOURCE=ironic && - export OS_BAREMETAL_API_VERSION=1.34 && ansible-playbook -vvvv /bifrost/playbooks/deploy-dynamic.yaml --inventory /etc/bifrost/inventory/ diff --git a/ansible/roles/ironic-inspector-rules/README.md b/ansible/roles/ironic-inspector-rules/README.md index 7a3bdb1d1..bd5462e98 100644 --- a/ansible/roles/ironic-inspector-rules/README.md +++ b/ansible/roles/ironic-inspector-rules/README.md @@ -26,8 +26,7 @@ compatible with the `auth` argument of `os_*` Ansible modules. `ironic_inspector_cacert` is an optional path to a CA certificate. -`ironic_inspector_url` is the URL of Ironic Inspector API endpoint, -required if no authentication is used. +`ironic_inspector_cloud` is the name of a cloud in ``clouds.yaml``. `ironic_inspector_rules` is a list of introspection rules which should exist. See the Inspector rules API for details of parameters available diff --git a/ansible/roles/ironic-inspector-rules/defaults/main.yml b/ansible/roles/ironic-inspector-rules/defaults/main.yml index 64545b517..ee38abae1 100644 --- a/ansible/roles/ironic-inspector-rules/defaults/main.yml +++ b/ansible/roles/ironic-inspector-rules/defaults/main.yml @@ -14,12 +14,12 @@ ironic_inspector_auth: {} # CA certificate path. ironic_inspector_cacert: +# Name of cloud in clouds.yaml. +ironic_inspector_cloud: + # Interface (public, internal, admin). ironic_inspector_interface: -# URL of Ironic Inspector API endpoint. -ironic_inspector_url: - # List of rules which should exist. See the Inspector rules API for details of # parameters available for rules. ironic_inspector_rules: [] diff --git a/ansible/roles/ironic-inspector-rules/library/os_ironic_inspector_rule.py b/ansible/roles/ironic-inspector-rules/library/os_ironic_inspector_rule.py index e71e19ceb..56c26e0fc 100644 --- a/ansible/roles/ironic-inspector-rules/library/os_ironic_inspector_rule.py +++ b/ansible/roles/ironic-inspector-rules/library/os_ironic_inspector_rule.py @@ -21,10 +21,6 @@ # Store a list of import errors to report to the user. IMPORT_ERRORS = [] -try: - import ironic_inspector_client -except Exception as e: - IMPORT_ERRORS.append(e) try: import openstack except Exception as e: @@ -78,29 +74,21 @@ """ -def _build_client(module, cloud): - """Create and return an Ironic inspector client.""" - # Ensure the requested API version is supported. - # API 1.14 is the latest API version available in Rocky. - api_version = (1, 14) - client = ironic_inspector_client.v1.ClientV1( - inspector_url=module.params['inspector_url'], - interface=module.params['interface'], - session=cloud.session, region_name=module.params['region_name'], - api_version=api_version) - return client +def _get_client(module, cloud): + """Return an Ironic inspector client.""" + return cloud.baremetal_introspection def _ensure_rule_present(module, client): """Ensure that an inspector rule is present.""" if module.params['uuid']: - try: - rule = client.rules.get(module.params['uuid']) - except ironic_inspector_client.ClientError as e: - if e.response.status_code != 404: + response = client.get('/rules/{}'.format(module.params['uuid'])) + if not response.ok: + if response.status_code != 404: module.fail_json(msg="Failed retrieving Inspector rule %s: %s" % (module.params['uuid'], repr(e))) else: + rule = response.json() # Check whether the rule differs from the request. keys = ('conditions', 'actions', 'description') for key in keys: @@ -121,8 +109,16 @@ def _ensure_rule_present(module, client): # Rule differs - delete it before recreating. _ensure_rule_absent(module, client) - client.rules.create(module.params['conditions'], module.params['actions'], - module.params['uuid'], module.params['description']) + rule = { + "conditions": module.params['conditions'], + "actions": module.params['actions'], + "description": module.params['description'], + "uuid": module.params['uuid'], + } + response = client.post("/rules", json=rule) + if not response.ok: + module.fail_json(msg="Failed creating Inspector rule %s: %s" + % (module.params['uuid'], response.text)) return True @@ -130,14 +126,13 @@ def _ensure_rule_absent(module, client): """Ensure that an inspector rule is absent.""" if not module.params['uuid']: module.fail_json(msg="UUID is required to ensure rules are absent") - try: - client.rules.delete(module.params['uuid']) - except ironic_inspector_client.ClientError as e: + response = client.delete("/rules/{}".format(module.params['uuid'])) + if not response.ok: # If the rule does not exist, no problem and no change. - if e.response.status_code == 404: + if response.status_code == 404: return False module.fail_json(msg="Failed retrieving Inspector rule %s: %s" - % (module.params['uuid'], repr(e))) + % (module.params['uuid'], response.text)) return True @@ -149,7 +144,6 @@ def main(): uuid=dict(required=False), state=dict(required=False, default='present', choices=['present', 'absent']), - inspector_url=dict(required=False), ) module_kwargs = openstack_module_kwargs() module = AnsibleModule(argument_spec, **module_kwargs) @@ -159,20 +153,9 @@ def main(): module.fail_json(msg="Import errors: %s" % ", ".join([repr(e) for e in IMPORT_ERRORS])) - if (module.params['auth_type'] in [None, 'None'] and - module.params['inspector_url'] is None): - module.fail_json(msg="Authentication appears disabled, please " - "define an inspector_url parameter") - - if (module.params['inspector_url'] and - module.params['auth_type'] in [None, 'None']): - module.params['auth'] = dict( - endpoint=module.params['inspector_url'] - ) - sdk, cloud = openstack_cloud_from_module(module) try: - client = _build_client(module, cloud) + client = _get_client(module, cloud) if module.params["state"] == "present": changed = _ensure_rule_present(module, client) else: diff --git a/ansible/roles/ironic-inspector-rules/tasks/main.yml b/ansible/roles/ironic-inspector-rules/tasks/main.yml index 47103073a..93fbe7fcb 100644 --- a/ansible/roles/ironic-inspector-rules/tasks/main.yml +++ b/ansible/roles/ironic-inspector-rules/tasks/main.yml @@ -1,14 +1,4 @@ --- -- name: Ensure required Python packages are installed - pip: - name: "{{ item.name }}" - version: "{{ item.version | default(omit) }}" - state: latest - virtualenv: "{{ ironic_inspector_venv }}" - extra_args: "{% if ironic_inspector_upper_constraints_file %}-c {{ ironic_inspector_upper_constraints_file }}{% endif %}" - with_items: - - name: python-ironic-inspector-client - - name: Ensure introspection rules exist vars: ansible_python_interpreter: "{{ ironic_inspector_venv }}/bin/python" @@ -16,11 +6,11 @@ auth_type: "{{ ironic_inspector_auth_type }}" auth: "{{ ironic_inspector_auth }}" cacert: "{{ ironic_inspector_cacert | default(omit, true) }}" + cloud: "{{ ironic_inspector_cloud | default(omit, true) }}" interface: "{{ ironic_inspector_interface | default(omit, true) }}" conditions: "{{ item.conditions }}" actions: "{{ item.actions }}" description: "{{ item.description | default(omit) }}" uuid: "{{ item.uuid | default(item.description | to_uuid) | default(omit) }}" state: present - inspector_url: "{{ ironic_inspector_url }}" with_items: "{{ ironic_inspector_rules }}" diff --git a/ansible/roles/kolla-bifrost/templates/kolla/config/bifrost/bifrost.yml b/ansible/roles/kolla-bifrost/templates/kolla/config/bifrost/bifrost.yml index 7ec8bf873..5269328fe 100644 --- a/ansible/roles/kolla-bifrost/templates/kolla/config/bifrost/bifrost.yml +++ b/ansible/roles/kolla-bifrost/templates/kolla/config/bifrost/bifrost.yml @@ -71,9 +71,6 @@ use_firewalld: "{{ kolla_bifrost_use_firewalld }}" # Firewalld zone used by Bifrost. firewalld_internal_zone: "{{ kolla_bifrost_firewalld_internal_zone }}" -# Disable authentication for the Ironic and Inspector APIs. -noauth_mode: true - # Enable discovery of nodes in Ironic Inspector. enable_inspector_discovery: true diff --git a/ansible/seed-credentials.yml b/ansible/seed-credentials.yml new file mode 100644 index 000000000..076086a5b --- /dev/null +++ b/ansible/seed-credentials.yml @@ -0,0 +1,45 @@ +--- +# Copy the Bifrost clouds.yaml file and CA certificate (if one is in use) to +# the host. This allows us to access the Ironic and Inspector APIs outside of +# the Bifrost container. +- name: Ensure credentials are available on the host + hosts: seed + tags: + - seed-credentials + vars: + openstack_config_dir: "{{ ansible_facts.env.HOME }}/.config/openstack" + tasks: + - name: Ensure OpenStack config directory exists + file: + path: "{{ openstack_config_dir }}" + state: directory + mode: 0700 + + - name: Get clouds.yaml from Bifrost container + command: + cmd: docker exec bifrost_deploy cat /root/.config/openstack/clouds.yaml + changed_when: false + register: clouds_yaml + no_log: true + + - name: Write clouds.yaml + copy: + content: | + {%- set clouds = clouds_yaml.stdout | from_yaml -%} + {%- for cloud in clouds.clouds.keys() | list -%} + {%- if 'cacert' in clouds.clouds[cloud] -%} + {%- set _ = clouds.clouds[cloud].update({'cacert': openstack_config_dir ~ '/bifrost.crt'}) -%} + {%- endif -%} + {%- endfor -%} + {{ clouds | to_nice_yaml }} + dest: "{{ openstack_config_dir }}/clouds.yaml" + mode: 0600 + + - name: Copy CA certificate from Bifrost container + vars: + clouds: "{{ clouds_yaml.stdout | from_yaml }}" + cacerts: "{{ clouds.clouds.values() | selectattr('cacert', 'defined') | map(attribute='cacert') | list }}" + command: + cmd: docker cp bifrost_deploy:{{ cacerts[0] }} {{ openstack_config_dir }}/bifrost.crt + changed_when: false + when: cacerts | length > 0 diff --git a/ansible/seed-introspection-rules.yml b/ansible/seed-introspection-rules.yml index 6c826150b..f59655af6 100644 --- a/ansible/seed-introspection-rules.yml +++ b/ansible/seed-introspection-rules.yml @@ -9,10 +9,7 @@ os_openstacksdk_state: latest ironic_inspector_venv: "{{ virtualenv_path }}/openstacksdk" ironic_inspector_upper_constraints_file: "{{ pip_upper_constraints_file }}" - # No auth required for Bifrost. - ironic_inspector_auth_type: None - ironic_inspector_auth: {} - ironic_inspector_url: "http://localhost:5050" + ironic_inspector_cloud: bifrost ironic_inspector_rules: "{{ kolla_bifrost_inspector_rules }}" # These variables may be referenced in the introspection rules. inspector_rule_var_ipmi_username: "{{ kolla_bifrost_inspector_ipmi_username }}" diff --git a/kayobe/cli/commands.py b/kayobe/cli/commands.py index 2afdc09e4..0898dd11a 100644 --- a/kayobe/cli/commands.py +++ b/kayobe/cli/commands.py @@ -714,6 +714,7 @@ def take_action(self, parsed_args): self.run_kolla_ansible_seed(parsed_args, "deploy-bifrost") playbooks = _build_playbook_list( + "seed-credentials", "seed-introspection-rules", "dell-switch-bmp") self.run_kayobe_playbooks(parsed_args, playbooks) @@ -748,6 +749,7 @@ def take_action(self, parsed_args): self.run_kayobe_playbooks(parsed_args, playbooks) self.run_kolla_ansible_seed(parsed_args, "upgrade-bifrost") playbooks = _build_playbook_list( + "seed-credentials", "seed-introspection-rules", "dell-switch-bmp") self.run_kayobe_playbooks(parsed_args, playbooks) diff --git a/kayobe/tests/unit/cli/test_commands.py b/kayobe/tests/unit/cli/test_commands.py index fc0afec04..87da04a9b 100644 --- a/kayobe/tests/unit/cli/test_commands.py +++ b/kayobe/tests/unit/cli/test_commands.py @@ -881,6 +881,8 @@ def test_seed_service_deploy(self, mock_kolla_run, mock_run): mock.call( mock.ANY, [ + utils.get_data_files_path( + "ansible", "seed-credentials.yml"), utils.get_data_files_path( "ansible", "seed-introspection-rules.yml"), utils.get_data_files_path( @@ -936,6 +938,8 @@ def test_seed_service_upgrade(self, mock_kolla_run, mock_run): mock.call( mock.ANY, [ + utils.get_data_files_path( + "ansible", "seed-credentials.yml"), utils.get_data_files_path( "ansible", "seed-introspection-rules.yml"), diff --git a/releasenotes/notes/seed-clouds-yaml-cbaf1961c5f8ceb0.yaml b/releasenotes/notes/seed-clouds-yaml-cbaf1961c5f8ceb0.yaml new file mode 100644 index 000000000..024fdd43e --- /dev/null +++ b/releasenotes/notes/seed-clouds-yaml-cbaf1961c5f8ceb0.yaml @@ -0,0 +1,9 @@ +--- +features: + - | + Adds support for copying the Bifrost ``clouds.yaml`` file and optionally a + TLS CA certificate from the Bifrost container to the seed host. This makes + it possible to enable authentication and TLS for Bifrost services. +upgrade: + - | + Enables authentication by default in Bifrost. From 283351b372002bd9cb7529ae30524505d91ecec5 Mon Sep 17 00:00:00 2001 From: Rafal Lewandowski Date: Wed, 14 Sep 2022 11:01:53 +0200 Subject: [PATCH 3/4] Update write_bifrost_clouds_yaml logic This is changed in order to facilitate running Ironic checks before OpenStack is deployed. Change-Id: Ibc4c9c93f52414c23cd7d8b4f1b32c85cb233681 (cherry picked from commit 20e2ac9cbd666ea1e856c24d3ccd6f44e99d2df1) --- dev/functions | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/dev/functions b/dev/functions index dd5a3b54f..53ced0fa8 100644 --- a/dev/functions +++ b/dev/functions @@ -620,16 +620,22 @@ function overcloud_test { } function write_bifrost_clouds_yaml { - # Generate a clouds.yaml for accessing the Ironic API in Bifrost. + SEED_IP="192.168.33.5" + + # Pull clouds.yaml from Bifrost container and change certificate path. if [[ ! -f ~/.config/openstack/clouds.yaml ]]; then mkdir -p ~/.config/openstack - cat << EOF > ~/.config/openstack/clouds.yaml ---- -clouds: - bifrost: - auth_type: "none" - endpoint: http://192.168.33.5:6385 -EOF + scp stack@$SEED_IP:/home/stack/.config/openstack/clouds.yaml ~/.config/openstack/clouds.yaml + sed -i 's|/home/stack/.config/openstack/bifrost.crt|~/.config/bifrost/bifrost.crt|g' ~/.config/openstack/clouds.yaml + else + echo "Not updating clouds.yaml file because it already exists at $HOME/.config/openstack/clouds.yaml. Try removing it if authentication against Bifrost fails." + fi + #Pull Bifrost PEM certificate from seed. + if [[ ! -f ~/.config/openstack/bifrost.crt ]]; then + mkdir -p ~/.config/openstack + scp stack@$SEED_IP:/home/stack/.config/openstack/bifrost.crt ~/.config/openstack/bifrost.crt + else + echo "Not updating Bifrost certificate file because it already exists at $HOME/.config/openstack/bifrost.crt. Try removing it if authentication against Bifrost fails." fi } From 0f95373c75a73dddb65840b634f34380b89777b0 Mon Sep 17 00:00:00 2001 From: Rafal Lewandowski Date: Tue, 4 Oct 2022 16:24:15 +0200 Subject: [PATCH 4/4] Fix for sed in write_bifrost_clouds_yaml function Fixed sed replacement line. Change-Id: I2e26a08ea37e5f558af533b38d096f011ed2a5b8 (cherry picked from commit 29c6f2ef887ab8205d12818de9388df7ddd66e52) --- dev/functions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dev/functions b/dev/functions index 53ced0fa8..53b4513ef 100644 --- a/dev/functions +++ b/dev/functions @@ -621,12 +621,12 @@ function overcloud_test { function write_bifrost_clouds_yaml { SEED_IP="192.168.33.5" - + # Pull clouds.yaml from Bifrost container and change certificate path. if [[ ! -f ~/.config/openstack/clouds.yaml ]]; then mkdir -p ~/.config/openstack scp stack@$SEED_IP:/home/stack/.config/openstack/clouds.yaml ~/.config/openstack/clouds.yaml - sed -i 's|/home/stack/.config/openstack/bifrost.crt|~/.config/bifrost/bifrost.crt|g' ~/.config/openstack/clouds.yaml + sed -i 's|/home/stack/.config/openstack/bifrost.crt|~/.config/openstack/bifrost.crt|g' ~/.config/openstack/clouds.yaml else echo "Not updating clouds.yaml file because it already exists at $HOME/.config/openstack/clouds.yaml. Try removing it if authentication against Bifrost fails." fi