Merge branch 'stackhpc/xena' into upstream/xena-2022-10-17

stackhpc · Oct 17, 2022 · fc00e61 · fc00e61
2 parents 41a65ec + 38c7277
commit fc00e61
Show file tree

Hide file tree

Showing 76 changed files with 1,583 additions and 57 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1 @@
+* @stackhpc/kayobe
diff --git a/.github/workflows/tag-and-release.yml b/.github/workflows/tag-and-release.yml
@@ -0,0 +1,11 @@
+---
+name: Tag & Release
+'on':
+  push:
+    branches:
+      - stackhpc/xena
+permissions:
+  contents: write
+jobs:
+  tag-and-release:
+    uses: stackhpc/.github/.github/workflows/tag-and-release.yml@main
diff --git a/.github/workflows/tox.yml b/.github/workflows/tox.yml
@@ -0,0 +1,7 @@
+---
+name: Tox Continuous Integration
+'on':
+  pull_request:
+jobs:
+  tox:
+    uses: stackhpc/.github/.github/workflows/tox.yml@main
diff --git a/ansible/compute-libvirt-host.yml b/ansible/compute-libvirt-host.yml
@@ -0,0 +1,59 @@
+---
+- name: Ensure the libvirt daemon is configured
+  hosts: compute
+  tags:
+    - libvirt-host
+  tasks:
+    - name: Ensure Ceph package repository is available
+      package:
+        name: "centos-release-ceph-{{ compute_libvirt_ceph_repo_release }}"
+        state: present
+      when:
+        - compute_libvirt_enabled | bool
+        - ansible_facts.distribution in ['CentOS', 'Rocky']
+        - compute_libvirt_ceph_repo_install | bool
+      become: true
+
+    - name: Include stackhpc.libvirt-host role
+      include_role:
+        name: stackhpc.libvirt-host
+      vars:
+        libvirt_host_libvirtd_conf: "{{ compute_libvirt_conf }}"
+        libvirt_host_qemu_conf: "{{ compute_qemu_conf }}"
+        libvirt_host_enable_sasl_support: "{{ compute_libvirt_enable_sasl | bool }}"
+        libvirt_host_sasl_authname: nova
+        libvirt_host_sasl_password: "{{ compute_libvirt_sasl_password }}"
+        libvirt_host_tcp_listen: "{{ not compute_libvirt_enable_tls | bool }}"
+        libvirt_host_tcp_listen_address: "{{ internal_net_name | net_ip }}:16509"
+        libvirt_host_tls_listen: "{{ compute_libvirt_enable_tls | bool }}"
+        libvirt_host_tls_listen_address: "{{ internal_net_name | net_ip }}:16514"
+        # TLS server and client certificates.
+        libvirt_host_tls_server_cert: >-
+          {{ lookup('file', lookup('first_found', lookup_params | combine({'files': ['servercert.pem']})))
+             if libvirt_host_tls_listen | default(False) | bool else '' }}
+        libvirt_host_tls_server_key: >-
+          {{ lookup('file', lookup('first_found', lookup_params | combine({'files': ['serverkey.pem']})))
+             if libvirt_host_tls_listen | default(False) | bool else '' }}
+        libvirt_host_tls_client_cert: >-
+          {{ lookup('file', lookup('first_found', lookup_params | combine({'files': ['clientcert.pem']})))
+             if libvirt_host_tls_listen | default(False) | bool else '' }}
+        libvirt_host_tls_client_key: >-
+          {{ lookup('file', lookup('first_found', lookup_params | combine({'files': ['clientkey.pem']})))
+             if libvirt_host_tls_listen | default(False) | bool else '' }}
+        libvirt_host_tls_cacert: >-
+          {{ lookup('file', lookup('first_found', lookup_params | combine({'files': ['cacert.pem']})))
+             if libvirt_host_tls_listen | default(False) | bool else '' }}
+        lookup_params:
+          paths: "{{ libvirt_tls_cert_paths }}"
+          skip: true
+        # Support loading libvirt TLS certificates & keys from per-host and
+        # global locations.
+        libvirt_tls_cert_paths: >-
+          {{ (libvirt_tls_cert_dirs | unique | product([inventory_hostname]) | map('path_join') | list +
+              libvirt_tls_cert_dirs | unique | list) | list }}
+        libvirt_tls_cert_dirs:
+          - "{{ kayobe_env_config_path }}/certificates/libvirt"
+          - "{{ kayobe_config_path }}/certificates/libvirt"
+        libvirt_host_enable_efi_support: true
+      when:
+        - compute_libvirt_enabled | bool
diff --git a/ansible/group_vars/all/bifrost b/ansible/group_vars/all/bifrost
@@ -65,6 +65,12 @@ kolla_bifrost_dib_packages: []
 # Name of disk image file to deploy. Default is "deployment_image.qcow2".
 kolla_bifrost_deploy_image_filename: "deployment_image.qcow2"
 
+# UUID of the root filesystem contained within the deployment image.
+# See below URL for instructions on how to extract it:
+# https://docs.openstack.org/ironic/latest/admin/raid.html#image-requirements
+# Default is none.
+kolla_bifrost_deploy_image_rootfs:
+
 ###############################################################################
 # Ironic configuration.
 

diff --git a/ansible/group_vars/all/compute b/ansible/group_vars/all/compute
@@ -161,3 +161,61 @@ compute_firewalld_default_zone:
 # - permanent: true
 # - state: enabled
 compute_firewalld_rules: []
+
+###############################################################################
+# Compute node host libvirt configuration.
+
+# Whether to enable a host libvirt daemon. Default is true if kolla_enable_nova
+# is true and kolla_enable_nova_libvirt_container is false.
+compute_libvirt_enabled: "{{ kolla_enable_nova | bool and not kolla_enable_nova_libvirt_container | bool }}"
+
+# A dict of default configuration options to write to
+# /etc/libvirt/libvirtd.conf.
+compute_libvirt_conf_default:
+  auth_tcp: "{{ 'sasl' if compute_libvirt_enable_sasl | bool else 'none' }}"
+  auth_tls: "{{ 'sasl' if compute_libvirt_enable_sasl | bool else 'none' }}"
+  log_level: "{{ compute_libvirtd_log_level }}"
+
+# A dict of additional configuration options to write to
+# /etc/libvirt/libvirtd.conf.
+compute_libvirt_conf_extra: {}
+
+# A dict of configuration options to write to /etc/libvirt/libvirtd.conf.
+# Default is a combination of compute_libvirt_conf_default and
+# compute_libvirt_conf_extra.
+compute_libvirt_conf: "{{ compute_libvirt_conf_default | combine(compute_libvirt_conf_extra) }}"
+
+# Numerical log level for libvirtd. Default is 3.
+compute_libvirtd_log_level: 3
+
+# A dict of default configuration options to write to
+# /etc/libvirt/qemu.conf.
+compute_qemu_conf_default:
+  max_files: 32768
+  max_processes: 131072
+
+# A dict of additional configuration options to write to
+# /etc/libvirt/qemu.conf.
+compute_qemu_conf_extra: {}
+
+# A dict of configuration options to write to /etc/libvirt/qemu.conf.
+# Default is a combination of compute_qemu_conf_default and
+# compute_qemu_conf_extra.
+compute_qemu_conf: "{{ compute_qemu_conf_default | combine(compute_qemu_conf_extra) }}"
+
+# Whether to enable libvirt SASL authentication. Default is true.
+compute_libvirt_enable_sasl: true
+
+# libvirt SASL password. Default is unset.
+compute_libvirt_sasl_password:
+
+# Whether to enable a libvirt TLS listener. Default is false.
+compute_libvirt_enable_tls: false
+
+# Whether to install a Ceph package repository on CentOS and Rocky hosts.
+# Default is true.
+compute_libvirt_ceph_repo_install: true
+
+# Ceph package repository release to install on CentOS and Rocky hosts when
+# compute_libvirt_ceph_repo_install is true. Default is 'pacific'.
+compute_libvirt_ceph_repo_release: pacific
diff --git a/ansible/group_vars/all/ipa b/ansible/group_vars/all/ipa
@@ -19,6 +19,9 @@ ipa_builder_source_url: "https://opendev.org/openstack/ironic-python-agent-build
 # Version of IPA builder source repository. Default is {{ openstack_branch }}.
 ipa_builder_source_version: "{{ openstack_branch }}"
 
+# List of additional build host packages to install.
+ipa_build_dib_host_packages_extra: []
+
 # List of default Diskimage Builder (DIB) elements to use when building IPA
 # images. Default is ["centos", "enable-serial-console",
 # "ironic-python-agent-ramdisk"].

diff --git a/ansible/group_vars/all/kolla b/ansible/group_vars/all/kolla
@@ -558,6 +558,7 @@ kolla_enable_murano: "no"
 kolla_enable_neutron_mlnx: "no"
 kolla_enable_neutron_provider_networks: "no"
 kolla_enable_neutron_sriov: "no"
+kolla_enable_nova_libvirt_container: "yes"
 kolla_enable_octavia: "no"
 kolla_enable_openvswitch: "{{ kolla_enable_neutron | bool }}"
 kolla_enable_ovn: "no"
@@ -585,9 +586,9 @@ kolla_enable_zun: "no"
 ###############################################################################
 # Passwords and credentials.
 
-# Dictionary containing default custom passwords to add or override in the
+# Dictionary containing base custom passwords to add or override in the
 # Kolla passwords file.
-kolla_ansible_default_custom_passwords:
+kolla_ansible_base_custom_passwords:
   # SSH key authorized in hosts deployed by Bifrost.
   bifrost_ssh_key:
     private_key: "{{ lookup('file', ssh_private_key_path) }}"
@@ -598,6 +599,19 @@ kolla_ansible_default_custom_passwords:
     public_key: "{{ lookup('file', ssh_public_key_path) }}"
   docker_registry_password: "{{ kolla_docker_registry_password }}"
 
+# Dictionary containing libvirt custom passwords to add or override in the
+# Kolla passwords file.
+kolla_ansible_libvirt_custom_passwords:
+  libvirt_sasl_password: "{{ compute_libvirt_sasl_password }}"
+
+# Dictionary containing default custom passwords to add or override in the
+# Kolla passwords file.
+kolla_ansible_default_custom_passwords: >-
+  {{ kolla_ansible_base_custom_passwords |
+     combine(kolla_ansible_libvirt_custom_passwords
+             if compute_libvirt_enabled | bool and compute_libvirt_enable_sasl | bool
+             else {}) }}
+
 # Dictionary containing custom passwords to add or override in the Kolla
 # passwords file.
 kolla_ansible_custom_passwords: "{{ kolla_ansible_default_custom_passwords }}"
@@ -653,3 +667,18 @@ kolla_internal_tls_cert:
 # in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
 # default.
 kolla_internal_fqdn_cacert:
+
+###############################################################################
+# Proxy configuration
+
+# HTTP proxy URL (format: http(s)://[user:password@]proxy_name:port) used by
+# Kolla. Default value is "{{ http_proxy }}".
+kolla_http_proxy: "{{ http_proxy }}"
+
+# HTTPS proxy URL (format: http(s)://[user:password@]proxy_name:port) used by
+# Kolla. Default value is "{{ https_proxy }}".
+kolla_https_proxy: "{{ https_proxy }}"
+
+# List of domains, hostnames, IP addresses and networks for which no proxy is
+# used. Default value is "{{ no_proxy }}".
+kolla_no_proxy: "{{ no_proxy }}"
diff --git a/ansible/group_vars/all/overcloud-dib b/ansible/group_vars/all/overcloud-dib
@@ -0,0 +1,95 @@
+---
+# Overcloud host disk image configuration.
+
+###############################################################################
+# Diskimage-builder configuration for overcloud host disk images.
+
+# Whether to build host disk images with DIB directly instead of through
+# Bifrost. Setting it to true disables Bifrost image build and allows images to
+# be built with the `kayobe overcloud host image build` command. Default value
+# is {{ os_distribution == 'rocky' }}. This will change in a future release.
+overcloud_dib_build_host_images: "{{ os_distribution == 'rocky' }}"
+
+# List of additional build host packages to install.
+overcloud_dib_host_packages_extra: []
+
+# List of overcloud host disk images to build. Each element is a dict defining
+# an image in a format accepted by the stackhpc.os-images role. Default is to
+# build an image named "deployment_image" configured with the overcloud_dib_*
+# variables defined below: {"name": "deployment_image", "elements": "{{
+# overcloud_dib_elements }}", "env": "{{ overcloud_dib_env_vars }}",
+# "packages": "{{ overcloud_dib_packages }}"}.
+overcloud_dib_host_images:
+  - name: "deployment_image"
+    elements: "{{ overcloud_dib_elements }}"
+    env: "{{ overcloud_dib_env_vars }}"
+    packages: "{{ overcloud_dib_packages }}"
+
+# DIB base OS element. Default is {{ 'rocky-container' if os_distribution ==
+# 'rocky' else os_distribution }}.
+overcloud_dib_os_element: "{{ 'rocky-container' if os_distribution == 'rocky' else os_distribution }}"
+
+# DIB image OS release. Default is {{ os_release }}.
+overcloud_dib_os_release: "{{ os_release }}"
+
+# List of default DIB elements. Default is ["centos", "cloud-init-datasources",
+# "disable-selinux", "enable-serial-console", "vm"] when
+# overcloud_dib_os_element is "centos", or ["rocky-container",
+# "cloud-init-datasources", "disable-selinux", "enable-serial-console", "vm"]
+# when overcloud_dib_os_element is "rocky" or
+# ["ubuntu", "cloud-init-datasources", "enable-serial-console", "vm"]
+# when overcloud_dib_os_element is "ubuntu".
+overcloud_dib_elements_default:
+  - "{{ overcloud_dib_os_element }}"
+  - "cloud-init-datasources"
+  - "{% if overcloud_dib_os_element in ['centos', 'rocky'] %}disable-selinux{% endif %}"
+  - "enable-serial-console"
+  - "vm"
+
+# List of additional DIB elements. Default is none.
+overcloud_dib_elements_extra: []
+
+# List of DIB elements. Default is a combination of
+# overcloud_dib_elements_default and overcloud_dib_elements_extra.
+overcloud_dib_elements: "{{ overcloud_dib_elements_default | select | list + overcloud_dib_elements_extra }}"
+
+# DIB default environment variables. Default is
+# {"DIB_BOOTLOADER_DEFAULT_CMDLINE": "nofb nomodeset gfxpayload=text
+# net.ifnames=1", "DIB_CLOUD_INIT_DATASOURCES": "ConfigDrive",
+# "DIB_CONTAINERFILE_RUNTIME": "docker", "DIB_CONTAINERFILE_NETWORK_DRIVER":
+# "host", "DIB_RELEASE": "{{ overcloud_dib_os_release }}"}.
+overcloud_dib_env_vars_default:
+  DIB_BOOTLOADER_DEFAULT_CMDLINE: "nofb nomodeset gfxpayload=text net.ifnames=1"
+  DIB_CLOUD_INIT_DATASOURCES: "ConfigDrive"
+  DIB_CONTAINERFILE_RUNTIME: "docker"
+  DIB_CONTAINERFILE_NETWORK_DRIVER: "host"
+  DIB_RELEASE: "{{ overcloud_dib_os_release }}"
+
+# DIB additional environment variables. Default is none.
+overcloud_dib_env_vars_extra: {}
+
+# DIB environment variables. Default is combination of
+# overcloud_dib_env_vars_default and overcloud_dib_env_vars_extra.
+overcloud_dib_env_vars: "{{ overcloud_dib_env_vars_default | combine(overcloud_dib_env_vars_extra) }}"
+
+# List of DIB packages to install. Default is to install no extra packages.
+overcloud_dib_packages: []
+
+# List of default git repositories containing Diskimage Builder (DIB) elements.
+# See stackhpc.os-images role for usage. Default is empty.
+overcloud_dib_git_elements_default: []
+
+# List of additional git repositories containing Diskimage Builder (DIB)
+# elements. See stackhpc.os-images role for usage. Default is empty.
+overcloud_dib_git_elements_extra: []
+
+# List of git repositories containing Diskimage Builder (DIB) elements. See
+# stackhpc.os-images role for usage. Default is a combination of
+# overcloud_dib_git_elements_default and overcloud_dib_git_elements_extra.
+overcloud_dib_git_elements: >-
+  {{ overcloud_dib_git_elements_default + overcloud_dib_git_elements_extra }}
+
+# Upper constraints file for installing packages in the virtual environment
+# used for building overcloud host disk images. Default is {{
+# pip_upper_constraints_file }}.
+overcloud_dib_upper_constraints_file: "{{ pip_upper_constraints_file }}"
diff --git a/ansible/group_vars/all/proxy b/ansible/group_vars/all/proxy
@@ -0,0 +1,21 @@
+---
+###############################################################################
+# Configuration of HTTP(S) proxies.
+
+# HTTP proxy URL (format: http(s)://[user:password@]proxy_name:port). By
+# default no proxy is used.
+http_proxy: ""
+
+# HTTPS proxy URL (format: http(s)://[user:password@]proxy_name:port). By
+# default no proxy is used.
+https_proxy: ""
+
+# List of domains, hostnames, IP addresses and networks for which no proxy is
+# used. Defaults to ["127.0.0.1", "localhost", "{{ ('http://' ~
+# docker_registry) | urlsplit('hostname') }}"] if docker_registry is set, or
+# ["127.0.0.1", "localhost"] otherwise. This is configured only if either
+# http_proxy or https_proxy is set.
+no_proxy:
+  - "127.0.0.1"
+  - "localhost"
+  - "{{ ('http://' ~ docker_registry) | urlsplit('hostname') if docker_registry else '' }}"
diff --git a/ansible/kolla-ansible.yml b/ansible/kolla-ansible.yml
@@ -103,6 +103,7 @@
         kolla_inspector_netmask: "{{ inspection_net_name | net_mask }}"
         kolla_inspector_default_gateway: "{{ inspection_net_name | net_inspection_gateway or inspection_net_name | net_gateway }}"
         kolla_inspector_extra_kernel_options: "{{ inspector_extra_kernel_options }}"
+        kolla_libvirt_tls: "{{ compute_libvirt_enable_tls | bool }}"
         kolla_enable_host_ntp: false
         docker_daemon_mtu: "{{ public_net_name | net_mtu | default }}"
         kolla_globals_paths_extra:

diff --git a/ansible/kolla-bifrost-hostvars.yml b/ansible/kolla-bifrost-hostvars.yml
@@ -15,6 +15,7 @@
     bifrost_hostvars:
       addressing_mode: static
       deploy_image_filename: "{{ kolla_bifrost_deploy_image_filename }}"
+      deploy_image_rootfs: "{{ kolla_bifrost_deploy_image_rootfs | default(omit, true) }}"
       ipv4_interface_mac: "{% raw %}{{ extra.pxe_interface_mac | default }}{% endraw %}"
       ipv4_address: "{{ admin_oc_net_name | net_ip }}"
       ipv4_subnet_mask: "{{ admin_oc_net_name | net_mask }}"

diff --git a/ansible/kolla-openstack.yml b/ansible/kolla-openstack.yml
@@ -249,3 +249,5 @@
       kolla_extra_sahara: "{{ kolla_extra_config.sahara | default }}"
       kolla_extra_zookeeper: "{{ kolla_extra_config.zookeeper | default }}"
       kolla_extra_config_path: "{{ kayobe_env_config_path }}/kolla/config"
+      kolla_libvirt_tls: "{{ compute_libvirt_enable_tls | bool }}"
+      kolla_nova_libvirt_certificates_src: "{{ kayobe_env_config_path }}/certificates/libvirt"