From 9342f24936b9a30867a64bc2ac4d7fa171f67741 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Mon, 2 Mar 2026 14:29:08 +0100 Subject: [PATCH 01/10] Fix compatibility with python-ironicclient 6.0.0 Release 6.0.0 of python-ironicclient changed the way node attributes are named in JSON output [1]. We now need to access attributes using lower case. [1] https://review.opendev.org/c/openstack/python-ironicclient/+/973948 Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/901100 Change-Id: Iccb99cfd1a723b3680b64781488d15e417642522 Signed-off-by: Pierre Riteau --- ansible/baremetal-compute-rename.yml | 6 ++--- ansible/baremetal-compute-serial-console.yml | 24 +++++++++---------- .../ipa-images/tasks/set-driver-info.yml | 14 +++++------ 3 files changed, 22 insertions(+), 22 deletions(-) diff --git a/ansible/baremetal-compute-rename.yml b/ansible/baremetal-compute-rename.yml index b2dd3330c..7a4ef1cdc 100644 --- a/ansible/baremetal-compute-rename.yml +++ b/ansible/baremetal-compute-rename.yml @@ -54,7 +54,7 @@ - name: Rename baremetal compute nodes command: > - {{ venv }}/bin/openstack baremetal node set --name "{{ inventory_hostname }}" "{{ node['UUID'] }}" + {{ venv }}/bin/openstack baremetal node set --name "{{ inventory_hostname }}" "{{ node['uuid'] }}" delegate_to: "{{ controller_host }}" environment: "{{ openstack_auth_env }}" vars: @@ -62,8 +62,8 @@ # be respected when using delegate_to. ansible_host: "{{ hostvars[controller_host].ansible_host | default(controller_host) }}" ipmi_address: "{{ hostvars[inventory_hostname].ipmi_address }}" - matching_nodes: "{{ (nodes.stdout | from_json) | selectattr('Driver Info.ipmi_address', 'defined') | selectattr('Driver Info.ipmi_address', 'equalto', ipmi_address) | list }}" + matching_nodes: "{{ (nodes.stdout | from_json) | selectattr('driver_info.ipmi_address', 'defined') | selectattr('driver_info.ipmi_address', 'equalto', ipmi_address) | list }}" node: "{{ matching_nodes | first }}" when: - matching_nodes | length > 0 - - node['Name'] != inventory_hostname + - node['name'] != inventory_hostname diff --git a/ansible/baremetal-compute-serial-console.yml b/ansible/baremetal-compute-serial-console.yml index 9de0ae976..cd987a485 100644 --- a/ansible/baremetal-compute-serial-console.yml +++ b/ansible/baremetal-compute-serial-console.yml @@ -79,11 +79,11 @@ fail: msg: >- In order to use the serial console you must set the console_interface to ipmitool-socat. - when: node["Console Interface"] != "ipmitool-socat" + when: node["console_interface"] != "ipmitool-socat" - name: Set IPMI serial console terminal port vars: - name: "{{ node['Name'] }}" + name: "{{ node['name'] }}" port: "{{ hostvars[controller_host].console_allocation_result.ports[name] }}" # NOTE: Without this, the controller's ansible_host variable will not # be respected when using delegate_to. @@ -93,8 +93,8 @@ delegate_to: "{{ controller_host }}" environment: "{{ openstack_auth_env }}" when: >- - node['Driver Info'].ipmi_terminal_port is not defined or - node['Driver Info'].ipmi_terminal_port | int != port | int + node['driver_info'].ipmi_terminal_port is not defined or + node['driver_info'].ipmi_terminal_port | int != port | int - name: Enable the IPMI socat serial console vars: @@ -102,14 +102,14 @@ # be respected when using delegate_to. ansible_host: "{{ hostvars[controller_host].ansible_host | default(controller_host) }}" command: > - {{ venv }}/bin/openstack baremetal node console enable {{ node['Name'] }} + {{ venv }}/bin/openstack baremetal node console enable {{ node['name'] }} delegate_to: "{{ controller_host }}" environment: "{{ openstack_auth_env }}" - when: not node['Console Enabled'] + when: not node['console_enabled'] vars: matching_nodes: >- - {{ (nodes.stdout | from_json) | selectattr('Name', 'defined') | - selectattr('Name', 'equalto', inventory_hostname) | list }} + {{ (nodes.stdout | from_json) | selectattr('name', 'defined') | + selectattr('name', 'equalto', inventory_hostname) | list }} node: "{{ matching_nodes | first }}" when: - cmd == "enable" @@ -122,14 +122,14 @@ # be respected when using delegate_to. ansible_host: "{{ hostvars[controller_host].ansible_host | default(controller_host) }}" command: > - {{ venv }}/bin/openstack baremetal node console disable {{ node['Name'] }} + {{ venv }}/bin/openstack baremetal node console disable {{ node['name'] }} delegate_to: "{{ controller_host }}" environment: "{{ openstack_auth_env }}" - when: node['Console Enabled'] + when: node['console_enabled'] vars: matching_nodes: >- - {{ (nodes.stdout | from_json) | selectattr('Name', 'defined') | - selectattr('Name', 'equalto', inventory_hostname) | list }} + {{ (nodes.stdout | from_json) | selectattr('name', 'defined') | + selectattr('name', 'equalto', inventory_hostname) | list }} node: "{{ matching_nodes | first }}" when: - cmd == "disable" diff --git a/ansible/roles/ipa-images/tasks/set-driver-info.yml b/ansible/roles/ipa-images/tasks/set-driver-info.yml index c2c11fcc9..6ddcbc89e 100644 --- a/ansible/roles/ipa-images/tasks/set-driver-info.yml +++ b/ansible/roles/ipa-images/tasks/set-driver-info.yml @@ -36,11 +36,11 @@ - name: Make sure openstack nodes are in baremetal-compute group add_host: - name: "{{ item.Name }}" + name: "{{ item.name }}" groups: baremetal-compute when: - - item.Name is not none - - item.Name not in groups["baremetal-compute"] + - item.name is not none + - item.name not in groups["baremetal-compute"] with_items: "{{ ipa_images_ironic_node_list.stdout | from_json }}" - name: Set fact containing filtered list of nodes @@ -55,15 +55,15 @@ set_fact: ipa_images_ironic_nodes: "{{ ipa_images_ironic_nodes + [item] }}" with_items: "{{ ipa_images_ironic_node_list.stdout | from_json }}" - when: item['Name'] in ipa_images_compute_node_whitelist + when: item['name'] in ipa_images_compute_node_whitelist - name: Ensure ironic nodes use the new Ironic Python Agent (IPA) images command: > - {{ ipa_images_venv }}/bin/openstack baremetal node set {{ item.UUID }} + {{ ipa_images_venv }}/bin/openstack baremetal node set {{ item.uuid }} --driver-info deploy_kernel={{ ipa_images_kernel_uuid }} --driver-info deploy_ramdisk={{ ipa_images_ramdisk_uuid }} with_items: "{{ ipa_images_ironic_nodes }}" when: - item["Driver Info"].deploy_kernel != ipa_images_kernel_uuid or - item["Driver Info"].deploy_ramdisk != ipa_images_ramdisk_uuid + item["driver_info"].deploy_kernel != ipa_images_kernel_uuid or + item["driver_info"].deploy_ramdisk != ipa_images_ramdisk_uuid environment: "{{ ipa_images_ironic_openstack_auth_env }}" From 505da7a072fc7688fa7afd9a0ec68d449e1366c1 Mon Sep 17 00:00:00 2001 From: Matt Crees Date: Tue, 3 Mar 2026 11:12:25 +0000 Subject: [PATCH 02/10] Drop backwards compatibility for template trusting With the G cycle, this feature is always supported. Change-Id: I0ccbfd7baa2ae43f06a91f34d8357d91e57317ee Signed-off-by: Matt Crees --- kayobe/plugins/action/kolla_ansible_host_vars.py | 11 +---------- kayobe/plugins/action/merge_configs.py | 10 +--------- kayobe/plugins/action/merge_yaml.py | 10 +--------- 3 files changed, 3 insertions(+), 28 deletions(-) diff --git a/kayobe/plugins/action/kolla_ansible_host_vars.py b/kayobe/plugins/action/kolla_ansible_host_vars.py index d6b620980..085e60004 100644 --- a/kayobe/plugins/action/kolla_ansible_host_vars.py +++ b/kayobe/plugins/action/kolla_ansible_host_vars.py @@ -13,16 +13,7 @@ # under the License. from ansible.plugins.action import ActionBase - -# TODO(dougszu): From Ansible 12 onwards we must explicitly trust templates. -# Since this feature is not supported in previous releases, we define a -# noop method here for backwards compatibility. This can be removed in the -# G cycle. -try: - from ansible.template import trust_as_template -except ImportError: - def trust_as_template(template): - return template +from ansible.template import trust_as_template class ConfigError(Exception): diff --git a/kayobe/plugins/action/merge_configs.py b/kayobe/plugins/action/merge_configs.py index d1c22e25a..605414bfc 100644 --- a/kayobe/plugins/action/merge_configs.py +++ b/kayobe/plugins/action/merge_configs.py @@ -24,15 +24,7 @@ from ansible import constants from ansible.plugins import action -# TODO(dougszu): From Ansible 12 onwards we must explicitly trust templates. -# Since this feature is not supported in previous releases, we define a -# noop method here for backwards compatibility. This can be removed in the -# G cycle. -try: - from ansible.template import trust_as_template -except ImportError: - def trust_as_template(template): - return template +from ansible.template import trust_as_template from io import StringIO diff --git a/kayobe/plugins/action/merge_yaml.py b/kayobe/plugins/action/merge_yaml.py index 41ab5f099..35d250371 100644 --- a/kayobe/plugins/action/merge_yaml.py +++ b/kayobe/plugins/action/merge_yaml.py @@ -27,15 +27,7 @@ from ansible import errors as ansible_errors from ansible.plugins import action -# TODO(dougszu): From Ansible 12 onwards we must explicitly trust templates. -# Since this feature is not supported in previous releases, we define a -# noop method here for backwards compatibility. This can be removed in the -# G cycle. -try: - from ansible.template import trust_as_template -except ImportError: - def trust_as_template(template): - return template +from ansible.template import trust_as_template DOCUMENTATION = ''' --- From a46f6484f8b361c322533bfe60b6cfe12aeca85a Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Thu, 29 Jan 2026 16:00:32 +0000 Subject: [PATCH 03/10] [networkd] Fix broken conditional [DEPRECATION WARNING]: Conditional result (False) was derived from value of type 'int' at '/home/ubuntu/kayobe/ansible/roles/network-debian/tasks/main.yml:51:9'. Conditionals must have a boolean result. This feature will be removed from ansible-core version 2.23. Origin: /home/ubuntu/kayobe/ansible/roles/network-debian/tasks/main.yml:51:9 49 command: "udevadm trigger --verbose --subsystem-match=net --action=add" 50 changed_when: false 51 when: network_interfaces | networkd_links | length ^ column 9 Broken conditionals are currently allowed because the `ALLOW_BROKEN_CONDITIONALS` configuration option is enabled. TrivialFix Change-Id: I3e04902ac1cf129d325d291cafb719fd15a84368 Signed-off-by: Will Szumski --- ansible/roles/network-debian/tasks/main.yml | 2 +- requirements.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/roles/network-debian/tasks/main.yml b/ansible/roles/network-debian/tasks/main.yml index 27091a841..c1c75ea53 100644 --- a/ansible/roles/network-debian/tasks/main.yml +++ b/ansible/roles/network-debian/tasks/main.yml @@ -48,4 +48,4 @@ become: true command: "udevadm trigger --verbose --subsystem-match=net --action=add" changed_when: false - when: network_interfaces | networkd_links | length + when: network_interfaces | networkd_links | length > 0 diff --git a/requirements.yml b/requirements.yml index e0aa67977..81a221af9 100644 --- a/requirements.yml +++ b/requirements.yml @@ -18,7 +18,7 @@ collections: - name: openstack.cloud version: '<3' - name: stackhpc.linux - version: 1.5.1 + version: 1.5.2 - name: stackhpc.network version: 1.0.0 - name: stackhpc.openstack From 190b79b5d02a67be5353b5e908f6f3aa909aac49 Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Thu, 29 Jan 2026 17:36:21 +0000 Subject: [PATCH 04/10] [firewalld] Fix broken conditional Broken conditionals are currently allowed because the `ALLOW_BROKEN_CONDITIONALS` configuration option is enabled. [DEPRECATION WARNING]: Conditional result (True) was derived from value of type 'str' at '/home/zuul/src/opendev.org/openstack/kayobe-config-dev/etc/kayobe/zz-30-overrides.yml:47:25'. Conditionals must have a boolean result. This feature will be removed from ansible-core version 2.23. Origin: /home/zuul/kayobe-venv/share/kayobe/ansible/roles/firewalld/tasks/enabled.yml:50:9 48 become: true 49 loop: "{{ network_interfaces }}" 50 when: item | net_zone ^ column 9 TrivialFix Change-Id: I88e0f12e838070196d8f3ffa4ec95464ab323632 Signed-off-by: Will Szumski --- ansible/roles/firewalld/tasks/enabled.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/firewalld/tasks/enabled.yml b/ansible/roles/firewalld/tasks/enabled.yml index 048645169..1ab86bcd6 100644 --- a/ansible/roles/firewalld/tasks/enabled.yml +++ b/ansible/roles/firewalld/tasks/enabled.yml @@ -47,7 +47,7 @@ zone: "{{ item | net_zone }}" become: true loop: "{{ network_interfaces }}" - when: item | net_zone + when: item | net_zone is truthy notify: Restart firewalld - name: Ensure firewalld rules are applied From fa4f0be487f5a6979964c910f47581529cc6cf66 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Wed, 4 Mar 2026 08:33:34 +0100 Subject: [PATCH 05/10] Revert "CI: Disable seed jobs" This reverts commit aa230f9d05eea695f2aaa09a348f56a2079e6eda. Reason for revert: Bifrost passlib fix is merged. Change-Id: I5b179291a335cb32c782cf351554fdd6bd3e144f Signed-off-by: Pierre Riteau --- zuul.d/project.yaml | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index c040a3d15..37fe7338e 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -28,14 +28,14 @@ - kayobe-overcloud-upgrade-slurp-rocky10 - kayobe-overcloud-upgrade-slurp-ubuntu-noble - kayobe-overcloud-upgrade-ubuntu-noble - #- kayobe-seed-rocky10 - #- kayobe-seed-rocky10-podman - #- kayobe-seed-ubuntu-noble - #- kayobe-seed-ubuntu-noble-podman - #- kayobe-seed-upgrade-rocky10 - #- kayobe-seed-upgrade-slurp-rocky10 - #- kayobe-seed-upgrade-slurp-ubuntu-noble - #- kayobe-seed-upgrade-ubuntu-noble + - kayobe-seed-rocky10 + - kayobe-seed-rocky10-podman + - kayobe-seed-ubuntu-noble + - kayobe-seed-ubuntu-noble-podman + - kayobe-seed-upgrade-rocky10 + - kayobe-seed-upgrade-slurp-rocky10 + - kayobe-seed-upgrade-slurp-ubuntu-noble + - kayobe-seed-upgrade-ubuntu-noble - kayobe-seed-vm-rocky10 - kayobe-seed-vm-ubuntu-noble gate: @@ -59,14 +59,14 @@ - kayobe-overcloud-upgrade-slurp-rocky10 - kayobe-overcloud-upgrade-slurp-ubuntu-noble - kayobe-overcloud-upgrade-ubuntu-noble - #- kayobe-seed-rocky10 - #- kayobe-seed-rocky10-podman - #- kayobe-seed-ubuntu-noble - #- kayobe-seed-ubuntu-noble-podman - #- kayobe-seed-upgrade-rocky10 - #- kayobe-seed-upgrade-slurp-rocky10 - #- kayobe-seed-upgrade-slurp-ubuntu-noble - #- kayobe-seed-upgrade-ubuntu-noble + - kayobe-seed-rocky10 + - kayobe-seed-rocky10-podman + - kayobe-seed-ubuntu-noble + - kayobe-seed-ubuntu-noble-podman + - kayobe-seed-upgrade-rocky10 + - kayobe-seed-upgrade-slurp-rocky10 + - kayobe-seed-upgrade-slurp-ubuntu-noble + - kayobe-seed-upgrade-ubuntu-noble - kayobe-seed-vm-rocky10 - kayobe-seed-vm-ubuntu-noble From 79bee73dcb9fe2b07157c98ef4a6cf812ac9250a Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Mon, 16 Feb 2026 15:04:46 +0000 Subject: [PATCH 06/10] Bump stackhpc.openstack to 0.10.1 This prevents us needing the CRB and EPEL repositories to be enabled on Rocky hosts when building DIB images. Closes-Bug: #2141684 Closes-Bug: #2142501 Change-Id: Id3e610ad466212d3b8dde7a429ea66cc1562b047 Signed-off-by: Will Szumski --- .../notes/fixes-dib-image-build-18f29d072b913669.yaml | 10 ++++++++++ requirements.yml | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/fixes-dib-image-build-18f29d072b913669.yaml diff --git a/releasenotes/notes/fixes-dib-image-build-18f29d072b913669.yaml b/releasenotes/notes/fixes-dib-image-build-18f29d072b913669.yaml new file mode 100644 index 000000000..4639a4add --- /dev/null +++ b/releasenotes/notes/fixes-dib-image-build-18f29d072b913669.yaml @@ -0,0 +1,10 @@ +--- +fixes: + - | + Fixes an issue building diskimage-builder images when EPEL is disabled. + See `LP#2141684 `_ for more + details. + - | + Fixes an issue building diskimage-builder images when using the podman + container engine, See `LP#2142501 + `_ for more details. diff --git a/requirements.yml b/requirements.yml index e0aa67977..aad1416ee 100644 --- a/requirements.yml +++ b/requirements.yml @@ -22,7 +22,7 @@ collections: - name: stackhpc.network version: 1.0.0 - name: stackhpc.openstack - version: 0.9.0 + version: 0.10.1 roles: - src: ahuffman.resolv From 8767fcc69281277139f7132f36a2a65f8a06f5e8 Mon Sep 17 00:00:00 2001 From: Hollie Hutchinson Date: Fri, 28 Nov 2025 11:36:11 +0000 Subject: [PATCH 07/10] Skip external connectivity check when behind a proxy Network connectivity check fails for hosts that have no external network, so this check is now skipped if ``http_proxy`` is defined. Change-Id: Ib6f815c319a7e92e675382cfe9d4011598e72aba Signed-off-by: Hollie Hutchinson --- ansible/network-connectivity.yml | 40 ++++++++++--------- etc/kayobe/networks.yml | 3 ++ ...l-connectivity-check-43d232b52f43ed93.yaml | 4 ++ 3 files changed, 29 insertions(+), 18 deletions(-) create mode 100644 releasenotes/notes/fix-external-connectivity-check-43d232b52f43ed93.yaml diff --git a/ansible/network-connectivity.yml b/ansible/network-connectivity.yml index 3e0238d8c..bfcca9f9e 100644 --- a/ansible/network-connectivity.yml +++ b/ansible/network-connectivity.yml @@ -6,6 +6,8 @@ default(kayobe_max_fail_percentage) | default(100) }} vars: + # Skip external connectivity check when behind a proxy. + nc_skip_external_net: "{{ http_proxy | truthy }}" # Set this to an external IP address to check. nc_external_ip: 8.8.8.8 # Set this to an external hostname to check. @@ -14,27 +16,29 @@ # (20 bytes) headers. icmp_overhead_bytes: 28 tasks: - - name: "Display next action: external IP address check" - debug: - msg: > - Checking whether hosts have access to an external IP address, - {{ nc_external_ip }}. - run_once: True + - block: + - name: "Display next action: external IP address check" + debug: + msg: > + Checking whether hosts have access to an external IP address, + {{ nc_external_ip }}. + run_once: True - - name: Ensure an external IP is reachable - command: ping -c1 {{ nc_external_ip }} - changed_when: False + - name: Ensure an external IP is reachable + command: ping -c1 {{ nc_external_ip }} + changed_when: False - - name: "Display next action: external hostname check" - debug: - msg: > - Checking whether hosts have access to an external hostname, - {{ nc_external_hostname }}. - run_once: True + - name: "Display next action: external hostname check" + debug: + msg: > + Checking whether hosts have access to an external hostname, + {{ nc_external_hostname }}. + run_once: True - - name: Ensure an external host is reachable - command: ping -c1 {{ nc_external_hostname }} - changed_when: False + - name: Ensure an external host is reachable + command: ping -c1 {{ nc_external_hostname }} + changed_when: False + when: not nc_skip_external_net - name: "Display next action: gateway check" debug: diff --git a/etc/kayobe/networks.yml b/etc/kayobe/networks.yml index 17c9028c4..2132fd179 100644 --- a/etc/kayobe/networks.yml +++ b/etc/kayobe/networks.yml @@ -106,6 +106,9 @@ ############################################################################### # Network connectivity check configuration. +# Whether to skip the external network connectivity check. Default is false. +#nc_skip_external_net: + # External IP address to check. Default is 8.8.8.8. #nc_external_ip: diff --git a/releasenotes/notes/fix-external-connectivity-check-43d232b52f43ed93.yaml b/releasenotes/notes/fix-external-connectivity-check-43d232b52f43ed93.yaml new file mode 100644 index 000000000..3ee7d838f --- /dev/null +++ b/releasenotes/notes/fix-external-connectivity-check-43d232b52f43ed93.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + Skip external connectivity check behind a proxy. From fb1767ad7f42235f576ec5ae3fd6f623f207e512 Mon Sep 17 00:00:00 2001 From: Matt Crees Date: Tue, 19 Nov 2024 16:09:13 +0000 Subject: [PATCH 08/10] Deprecate kolla-tags and kolla-limit Deprecates the options ``--kolla-tags``, ``--kolla-skip-tags``, and ``kolla-limit``. Regular ``--tags``, ``--skip-tags``, and ``--limit`` will now be passed directly to the Kolla-Ansible invocations. The ``kayobe-generate-config`` tag is added to ``kolla-ansible.yml`` and ``kolla-openstack.yml``. It is always called, to allow for limiting to OpenStack services with just one tag, e.g. ``kayobe overcloud service deploy -t nova`. You can still skip this with ``--skip-tags kayobe-generate-config``. Also adds the ``bifrost`` tag to ``kolla-bifrost.yml``, so that we can easily limit to bifrost in the seed service deploy. As there is no clean way to handle some of Ansible's "special" tags like ``none``, using both regular and kolla tags/limits together is no longer allowed. Change-Id: I6f466305d49031da4d048f8fa7d2625b261a6fa0 Signed-off-by: Matt Crees Co-Authored-By: Will Szumski --- ansible/kayobe-target-venv.yml | 4 +- ansible/kolla-ansible.yml | 4 + ansible/kolla-bifrost.yml | 1 + ansible/kolla-openstack.yml | 3 + doc/source/administration/overcloud.rst | 29 +++---- doc/source/administration/seed.rst | 7 +- doc/source/configuration/reference/vgpu.rst | 4 +- doc/source/deployment.rst | 7 +- doc/source/upgrading.rst | 10 ++- doc/source/usage.rst | 22 ++--- kayobe/ansible.py | 2 + kayobe/cli/commands.py | 85 ++++++++++++++++--- kayobe/cmd/kayobe.py | 33 +++++++ kayobe/kolla_ansible.py | 28 +++--- kayobe/tests/unit/test_ansible.py | 6 +- kayobe/tests/unit/test_kolla_ansible.py | 12 +-- ...ags-and-kolla-limits-254faef5584176e1.yaml | 22 +++++ 17 files changed, 209 insertions(+), 70 deletions(-) create mode 100644 releasenotes/notes/drop-kolla-tags-and-kolla-limits-254faef5584176e1.yaml diff --git a/ansible/kayobe-target-venv.yml b/ansible/kayobe-target-venv.yml index 53005c86e..4d4ae092f 100644 --- a/ansible/kayobe-target-venv.yml +++ b/ansible/kayobe-target-venv.yml @@ -26,7 +26,9 @@ filter: "{{ kayobe_ansible_setup_filter }}" gather_subset: "{{ kayobe_ansible_setup_gather_subset }}" when: - - ansible_facts is undefined or ansible_facts is falsy + #TODO(mattcrees): Enable this check once this bug is fixed: + # https://bugs.launchpad.net/kayobe/+bug/2144548 + # - ansible_facts is undefined or ansible_facts is falsy - kayobe_virtualenv is defined register: gather_facts_result # Before any facts are gathered, ansible doesn't know about diff --git a/ansible/kolla-ansible.yml b/ansible/kolla-ansible.yml index ec6c4e173..5a0505e52 100644 --- a/ansible/kolla-ansible.yml +++ b/ansible/kolla-ansible.yml @@ -9,6 +9,7 @@ tags: - kolla-ansible - config-validation + - kayobe-generate-config tasks: - name: Validate serial console configuration block: @@ -26,6 +27,7 @@ hosts: localhost tags: - kolla-ansible + - kayobe-generate-config gather_facts: false pre_tasks: - block: @@ -113,6 +115,7 @@ - config - config-validation - kolla-ansible + - kayobe-generate-config gather_facts: False tasks: - name: Set Kolla Ansible host variables @@ -142,6 +145,7 @@ - config - config-validation - kolla-ansible + - kayobe-generate-config gather_facts: False tasks: - name: Set Kolla Ansible host variables diff --git a/ansible/kolla-bifrost.yml b/ansible/kolla-bifrost.yml index 87023deb5..88b7b4a1b 100644 --- a/ansible/kolla-bifrost.yml +++ b/ansible/kolla-bifrost.yml @@ -3,6 +3,7 @@ hosts: localhost tags: - kolla-bifrost + - bifrost roles: - role: kolla-bifrost diff --git a/ansible/kolla-openstack.yml b/ansible/kolla-openstack.yml index ea2aec967..a2c1152f0 100644 --- a/ansible/kolla-openstack.yml +++ b/ansible/kolla-openstack.yml @@ -7,6 +7,7 @@ - config-validation - kolla-ansible - kolla-openstack + - kayobe-generate-config tasks: - name: Create controllers group with ironic enabled group_by: @@ -19,6 +20,7 @@ tags: - kolla-ansible - kolla-openstack + - kayobe-generate-config vars: # These are the filenames generated by overcloud-ipa-build.yml. ipa_image_name: "ipa" @@ -57,6 +59,7 @@ tags: - kolla-ansible - kolla-openstack + - kayobe-generate-config vars: switch_type_to_device_type: arista: netmiko_arista_eos diff --git a/doc/source/administration/overcloud.rst b/doc/source/administration/overcloud.rst index 13080a33f..f27187d22 100644 --- a/doc/source/administration/overcloud.rst +++ b/doc/source/administration/overcloud.rst @@ -15,7 +15,7 @@ necessary to update these prior to running a package update. To do this, update the configuration in ``${KAYOBE_CONFIG_PATH}/dnf.yml`` and run the following command:: - (kayobe) $ kayobe overcloud host configure --tags dnf --kolla-tags none + (kayobe) $ kayobe overcloud host configure --tags dnf Package Update -------------- @@ -80,10 +80,9 @@ improved by specifying Ansible tags to limit the tasks run in kayobe and/or kolla-ansible's playbooks. This may require knowledge of the inner workings of these tools but in general, kolla-ansible tags the play used to configure each service by the name of that service. For example: ``nova``, ``neutron`` or -``ironic``. Use ``-t`` or ``--tags`` to specify kayobe tags and ``-kt`` or -``--kolla-tags`` to specify kolla-ansible tags. For example:: +``ironic``. Use ``-t`` or ``--tags`` to specify tags. For example:: - (kayobe) $ kayobe overcloud service reconfigure --tags config --kolla-tags nova,ironic + (kayobe) $ kayobe overcloud service reconfigure --tags nova,ironic Deploying Updated Container Images ================================== @@ -105,10 +104,9 @@ improved by specifying Ansible tags to limit the tasks run in kayobe and/or kolla-ansible's playbooks. This may require knowledge of the inner workings of these tools but in general, kolla-ansible tags the play used to configure each service by the name of that service. For example: ``nova``, ``neutron`` or -``ironic``. Use ``-t`` or ``--tags`` to specify kayobe tags and ``-kt`` or -``--kolla-tags`` to specify kolla-ansible tags. For example:: +``ironic``. Use ``-t`` or ``--tags`` to specify tags. For example:: - (kayobe) $ kayobe overcloud service deploy containers --kolla-tags nova,ironic + (kayobe) $ kayobe overcloud service deploy containers --tags nova,ironic Upgrading Containerised Services ================================ @@ -126,9 +124,9 @@ To upgrade the containerised control plane services:: (kayobe) $ kayobe overcloud service upgrade As for the reconfiguration command, it is possible to specify tags for Kayobe -and/or kolla-ansible:: +and kolla-ansible:: - (kayobe) $ kayobe overcloud service upgrade --tags config --kolla-tags keystone + (kayobe) $ kayobe overcloud service upgrade --tags keystone Running Prechecks ================= @@ -137,10 +135,10 @@ Sometimes it may be useful to run prechecks without deploying services:: (kayobe) $ kayobe overcloud service prechecks -As for other similar commands, it is possible to specify tags for Kayobe and/or +As for other similar commands, it is possible to specify tags for Kayobe and kolla-ansible:: - (kayobe) $ kayobe overcloud service upgrade --tags config --kolla-tags keystone + (kayobe) $ kayobe overcloud service upgrade --tags keystone Stopping the Overcloud Services =============================== @@ -156,12 +154,11 @@ To stop the overcloud services:: It should be noted that this state is persistent - containers will remain stopped after a reboot of the host on which they are running. -It is possible to limit the operation to particular hosts via -``--kolla-limit``, or to particular services via ``--kolla-tags``. It is also -possible to avoid stopping the common containers via ``--kolla-skip-tags -common``. For example: +It is possible to limit the operation to particular hosts via ``--limit``, or +to particular services via ``--tags``. It is also possible to avoid stopping +the common containers via ``--skip-tags common``. For example: - (kayobe) $ kayobe overcloud service stop --kolla-tags glance,nova --kolla-skip-tags common + (kayobe) $ kayobe overcloud service stop --tags glance,nova --skip-tags common Destroying the Overcloud Services ================================= diff --git a/doc/source/administration/seed.rst b/doc/source/administration/seed.rst index b0bf5d0d7..0e2f8ba35 100644 --- a/doc/source/administration/seed.rst +++ b/doc/source/administration/seed.rst @@ -31,10 +31,7 @@ To destroy the seed services:: This can optionally be used with a tag:: - (kayobe) $ kayobe seed service destroy --yes-i-really-really-mean-it -kt none -t docker-registry - -Care must be taken to set both kayobe and kolla tags to avoid accidentally -destroying other services. + (kayobe) $ kayobe seed service destroy --yes-i-really-really-mean-it -t docker-registry Updating Packages ================= @@ -49,7 +46,7 @@ necessary to update these prior to running a package update. To do this, update the configuration in ``${KAYOBE_CONFIG_PATH}/dnf.yml`` and run the following command:: - (kayobe) $ kayobe seed host configure --tags dnf --kolla-tags none + (kayobe) $ kayobe seed host configure --tags dnf Package Update -------------- diff --git a/doc/source/configuration/reference/vgpu.rst b/doc/source/configuration/reference/vgpu.rst index 693c89d21..fcfe6cef9 100644 --- a/doc/source/configuration/reference/vgpu.rst +++ b/doc/source/configuration/reference/vgpu.rst @@ -226,7 +226,7 @@ To apply the configuration to Nova: .. code:: shell - (kayobe) $ kayobe overcloud service deploy -kt nova + (kayobe) $ kayobe overcloud service deploy -t nova OpenStack flavors ================= @@ -307,4 +307,4 @@ Reconfigure nova to match the change: .. code:: shell - (kayobe) $ kayobe overcloud service reconfigure -kt nova --kolla-limit computegpu000 --skip-prechecks + (kayobe) $ kayobe overcloud service reconfigure -t nova --limit computegpu000 --skip-prechecks diff --git a/doc/source/deployment.rst b/doc/source/deployment.rst index c39d0fe3c..5148700a8 100644 --- a/doc/source/deployment.rst +++ b/doc/source/deployment.rst @@ -217,9 +217,10 @@ After this command has completed the seed services will be active. .. note:: - Bifrost deployment behaviour is split between Kayobe and Kolla-Ansible. As - such, you should use both ``--tags kolla-bifrost`` and ``--kolla-tags - bifrost`` if you want to limit to Bifrost deployment. + You can use ``--tags bifrost`` if you want to limit to just the Bifrost + deployment. Note however that using tags is not tested in either Kayobe or + Kolla-Ansible CI, and as such should only be used if you know what you're + doing. Proceed with caution. .. seealso:: diff --git a/doc/source/upgrading.rst b/doc/source/upgrading.rst index bbe6b1d96..b0e221aca 100644 --- a/doc/source/upgrading.rst +++ b/doc/source/upgrading.rst @@ -450,7 +450,13 @@ To upgrade the containerised control plane services:: (kayobe) $ kayobe overcloud service upgrade -It is possible to specify tags for Kayobe and/or kolla-ansible to restrict the +It is possible to specify tags for Kayobe and kolla-ansible to restrict the scope of the upgrade:: - (kayobe) $ kayobe overcloud service upgrade --tags config --kolla-tags keystone + (kayobe) $ kayobe overcloud service upgrade --tags keystone + +.. note:: + + Using tags is not tested in either Kayobe or Kolla-Ansible CI, and as such + should only be used if you know what you're doing. Proceed with caution. + diff --git a/doc/source/usage.rst b/doc/source/usage.rst index 499a1b5ee..94269f959 100644 --- a/doc/source/usage.rst +++ b/doc/source/usage.rst @@ -63,12 +63,11 @@ Limiting Hosts Sometimes it may be necessary to limit execution of kayobe or kolla-ansible plays to a subset of the hosts. The ``--limit `` argument allows the -kayobe ansible hosts to be limited. The ``--kolla-limit `` argument -allows the kolla-ansible hosts to be limited. These two options may be -combined in a single command. In both cases, the argument provided should be +kayobe and kolla-ansible hosts to be limited. The argument provided should be an `Ansible host pattern `_, and will -ultimately be passed to ``ansible-playbook`` as a ``--limit`` argument. +ultimately be passed to ``ansible-playbook`` for both kayobe and kolla-ansible +as a ``--limit`` argument. .. _usage-tags: @@ -77,12 +76,15 @@ Tags `Ansible tags `_ provide a useful mechanism for executing a subset of the plays or tasks in a -playbook. The ``--tags `` argument allows execution of kayobe ansible -playbooks to be limited to matching plays and tasks. The ``--kolla-tags -`` argument allows execution of kolla-ansible ansible playbooks to be -limited to matching plays and tasks. The ``--skip-tags `` and -``--kolla-skip-tags `` arguments allow for avoiding execution of matching -plays and tasks. +playbook. The ``--tags `` argument allows execution of kayobe and +kolla-ansible playbooks to be limited to matching plays and tasks. The +``--skip-tags `` argument allows for avoiding execution of matching plays +and tasks. + +.. note:: + + Using tags is not tested in either Kayobe or Kolla-Ansible CI, and as such + should only be used if you know what you're doing. Proceed with caution. Check and diff mode ------------------- diff --git a/kayobe/ansible.py b/kayobe/ansible.py index caa6df7b1..6abd416a3 100644 --- a/kayobe/ansible.py +++ b/kayobe/ansible.py @@ -213,6 +213,8 @@ def build_args(parsed_args, playbooks, cmd += ["--skip-tags", parsed_args.skip_tags] if parsed_args.tags or tags: all_tags = [t for t in [parsed_args.tags, tags] if t] + # Always run kayobe-generate-config (unless the tag is skipped). + all_tags += ["kayobe-generate-config"] cmd += ["--tags", ",".join(all_tags)] cmd += playbooks return cmd diff --git a/kayobe/cli/commands.py b/kayobe/cli/commands.py index 4dbcb4cdc..a0213be70 100644 --- a/kayobe/cli/commands.py +++ b/kayobe/cli/commands.py @@ -14,6 +14,7 @@ import glob import json +import logging import os import re import sys @@ -30,6 +31,8 @@ # This is set to an arbitrary large number to simplify the sorting logic DEFAULT_SEQUENCE_NUMBER = sys.maxsize +LOG = logging.getLogger(__name__) + def _build_playbook_list(*playbooks): """Return a list of names of playbook files given their basenames.""" @@ -115,6 +118,31 @@ def generate_kolla_ansible_config(self, parsed_args, install=False, self.run_kayobe_playbooks(parsed_args, playbooks, ignore_limit=True, check=False) + def handle_kolla_tags_limits_deprecation(self, parsed_args): + if (parsed_args.kolla_limit or parsed_args.kolla_tags or + parsed_args.kolla_skip_tags): + self.app.LOG.warning("The use of --kolla-tags, --kolla-limit, and " + "--kolla-skip-tags is deprecated. Please " + "switch to just using --tags, --limit, or " + "--skip-tags, these are now passed into " + "kolla-ansible too. Kolla tags/limit will be " + "removed in the next release.") + if parsed_args.limit and parsed_args.kolla_limit: + self.app.LOG.error("You can no longer use both --limit and " + "--kolla-limit at the same time. Please switch " + "to just using --limit") + sys.exit(1) + if parsed_args.tags and parsed_args.kolla_tags: + self.app.LOG.error("You can no longer use both --tags and " + "--kolla-tags at the same time. Please switch " + "to just using --tags") + sys.exit(1) + if parsed_args.skip_tags and parsed_args.kolla_skip_tags: + self.app.LOG.error("You can no longer use both --skip-tags and " + "--kolla-skip-tags at the same time. Please " + "switch to just using --skip-tags") + sys.exit(1) + class KollaAnsibleMixin(object): """Mixin class for commands running Kolla Ansible.""" @@ -277,6 +305,7 @@ def get_parser(self, prog_name): def take_action(self, parsed_args): self.app.LOG.debug("Bootstrapping Kayobe Ansible control host") + self.handle_kolla_tags_limits_deprecation(parsed_args) ansible.install_galaxy_roles(parsed_args) ansible.install_galaxy_collections(parsed_args) playbooks = _build_playbook_list("bootstrap") @@ -503,6 +532,8 @@ def add_kolla_ansible_args(self, group): def take_action(self, parsed_args): self.app.LOG.debug("Running Kolla Ansible command") + self.handle_kolla_tags_limits_deprecation(parsed_args) + # First prepare configuration. self.generate_kolla_ansible_config(parsed_args) @@ -683,6 +714,7 @@ class SeedVMProvision(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin, def take_action(self, parsed_args): self.app.LOG.debug("Provisioning seed VM") + self.handle_kolla_tags_limits_deprecation(parsed_args) self.run_kayobe_playbook(parsed_args, _get_playbook_path("ip-allocation"), limit="seed") @@ -701,6 +733,7 @@ class SeedVMDeprovision(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin, def take_action(self, parsed_args): self.app.LOG.debug("Deprovisioning seed VM") + self.handle_kolla_tags_limits_deprecation(parsed_args) self.run_kayobe_playbook(parsed_args, _get_playbook_path("seed-vm-deprovision")) @@ -836,6 +869,7 @@ class SeedServiceDeploy(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin, def take_action(self, parsed_args): self.app.LOG.debug("Deploying seed services") + self.handle_kolla_tags_limits_deprecation(parsed_args) playbooks = _build_playbook_list( "seed-manage-containers") extra_vars = {"kayobe_action": "deploy"} @@ -870,6 +904,7 @@ def take_action(self, parsed_args): "you understand this.") sys.exit(1) self.app.LOG.debug("Destroying seed services") + self.handle_kolla_tags_limits_deprecation(parsed_args) self.generate_kolla_ansible_config(parsed_args, service_config=False, bifrost_config=False) extra_args = ["--yes-i-really-really-mean-it"] @@ -911,6 +946,7 @@ class SeedServiceUpgrade(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin, def take_action(self, parsed_args): self.app.LOG.debug("Upgrading seed services") + self.handle_kolla_tags_limits_deprecation(parsed_args) playbooks = _build_playbook_list( "seed-manage-containers") extra_vars = {"kayobe_action": "deploy"} @@ -1278,6 +1314,8 @@ class OvercloudFactsGather(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin, def take_action(self, parsed_args): self.app.LOG.debug("Gathering overcloud host facts") + self.handle_kolla_tags_limits_deprecation(parsed_args) + # Gather facts for Kayobe. playbooks = _build_playbook_list("overcloud-facts-gather") self.run_kayobe_playbooks(parsed_args, playbooks) @@ -1415,6 +1453,8 @@ def get_parser(self, prog_name): def take_action(self, parsed_args): self.app.LOG.debug("Performing overcloud database backup") + self.handle_kolla_tags_limits_deprecation(parsed_args) + # First prepare configuration. self.generate_kolla_ansible_config(parsed_args, service_config=False) @@ -1443,6 +1483,8 @@ def take_action(self, parsed_args): self.app.LOG.debug("Performing overcloud database recovery") extra_vars = {} + self.handle_kolla_tags_limits_deprecation(parsed_args) + # First prepare configuration. self.generate_kolla_ansible_config(parsed_args, service_config=True) @@ -1480,6 +1522,8 @@ def get_parser(self, prog_name): def take_action(self, parsed_args): self.app.LOG.debug("Generating overcloud service configuration") + self.handle_kolla_tags_limits_deprecation(parsed_args) + # First prepare configuration. self.generate_kolla_ansible_config(parsed_args) @@ -1511,6 +1555,7 @@ def get_parser(self, prog_name): def take_action(self, parsed_args): self.app.LOG.debug("Validating overcloud service configuration") + self.handle_kolla_tags_limits_deprecation(parsed_args) extra_vars = {} if parsed_args.output_dir: extra_vars[ @@ -1575,8 +1620,8 @@ class OvercloudServiceDeploy(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin, * Configure and deploy kayobe extra services. * Generate openrc files for the admin user. - This can be used in conjunction with the --tags and --kolla-tags arguments - to deploy specific services. + This can be used in conjunction with the --tags argument to deploy specific + services. """ def get_parser(self, prog_name): @@ -1589,6 +1634,8 @@ def get_parser(self, prog_name): def take_action(self, parsed_args): self.app.LOG.debug("Deploying overcloud services") + self.handle_kolla_tags_limits_deprecation(parsed_args) + # First prepare configuration. self.generate_kolla_ansible_config(parsed_args) @@ -1624,8 +1671,8 @@ class OvercloudServiceDeployContainers(KollaAnsibleMixin, KayobeAnsibleMixin, * Perform a kolla-ansible deployment of the overcloud service containers. * Configure and deploy kayobe extra services. - This can be used in conjunction with the --tags and --kolla-tags arguments - to deploy specific services. + This can be used in conjunction with the --tags argument to deploy specific + services. """ def get_parser(self, prog_name): @@ -1639,6 +1686,8 @@ def get_parser(self, prog_name): def take_action(self, parsed_args): self.app.LOG.debug("Deploying overcloud services (containers only)") + self.handle_kolla_tags_limits_deprecation(parsed_args) + # First prepare configuration. self.generate_kolla_ansible_config(parsed_args) @@ -1665,13 +1714,15 @@ class OvercloudServicePrechecks(KollaAnsibleMixin, KayobeAnsibleMixin, * Perform kolla-ansible prechecks to verify the system state for deployment. - This can be used in conjunction with the --tags and --kolla-tags arguments - to check specific services. + This can be used in conjunction with the --tags argument to check specific + services. """ def take_action(self, parsed_args): self.app.LOG.debug("Running overcloud prechecks") + self.handle_kolla_tags_limits_deprecation(parsed_args) + # First prepare configuration. self.generate_kolla_ansible_config(parsed_args) @@ -1699,8 +1750,8 @@ class OvercloudServiceReconfigure(KollaAnsibleMixin, KayobeAnsibleMixin, * Configure and deploy kayobe extra services. * Generate openrc files for the admin user. - This can be used in conjunction with the --tags and --kolla-tags arguments - to reconfigure specific services. + This can be used in conjunction with the --tags argument to reconfigure + specific services. """ def get_parser(self, prog_name): @@ -1713,6 +1764,8 @@ def get_parser(self, prog_name): def take_action(self, parsed_args): self.app.LOG.debug("Reconfiguring overcloud services") + self.handle_kolla_tags_limits_deprecation(parsed_args) + # First prepare configuration. self.generate_kolla_ansible_config(parsed_args) @@ -1746,8 +1799,8 @@ class OvercloudServiceStop(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin, * Perform a kolla-ansible stop of the overcloud services. * Stop kayobe extra services. - This can be used in conjunction with the --tags and --kolla-tags arguments - to stop specific services. + This can be used in conjunction with the --tags argument to stop specific + services. """ def get_parser(self, prog_name): @@ -1768,6 +1821,8 @@ def take_action(self, parsed_args): self.app.LOG.debug("Stopping overcloud services") + self.handle_kolla_tags_limits_deprecation(parsed_args) + # First prepare configuration. self.generate_kolla_ansible_config(parsed_args) @@ -1795,8 +1850,8 @@ class OvercloudServiceUpgrade(KollaAnsibleMixin, KayobeAnsibleMixin, * Configure and upgrade kayobe extra services. * Regenerate openrc files for the admin user. - This can be used in conjunction with the --tags and --kolla-tags arguments - to upgrade specific services. + This can be used in conjunction with the --tags argument to upgrade + specific services. """ def get_parser(self, prog_name): @@ -1809,6 +1864,8 @@ def get_parser(self, prog_name): def take_action(self, parsed_args): self.app.LOG.debug("Upgrading overcloud services") + self.handle_kolla_tags_limits_deprecation(parsed_args) + # First prepare configuration. self.generate_kolla_ansible_config(parsed_args, install=True) @@ -1860,6 +1917,8 @@ def take_action(self, parsed_args): self.app.LOG.debug("Destroying overcloud services") + self.handle_kolla_tags_limits_deprecation(parsed_args) + # First prepare configuration. self.generate_kolla_ansible_config(parsed_args) @@ -1882,6 +1941,8 @@ class OvercloudContainerImagePull(KayobeAnsibleMixin, KollaAnsibleMixin, def take_action(self, parsed_args): self.app.LOG.debug("Pulling overcloud container images") + self.handle_kolla_tags_limits_deprecation(parsed_args) + # First prepare configuration. self.generate_kolla_ansible_config(parsed_args, service_config=False) diff --git a/kayobe/cmd/kayobe.py b/kayobe/cmd/kayobe.py index 5e3fadf15..25f5f44ec 100644 --- a/kayobe/cmd/kayobe.py +++ b/kayobe/cmd/kayobe.py @@ -18,6 +18,31 @@ from kayobe import version +import logging + + +class CustomFormatter(logging.Formatter): + + grey = "\x1b[38;20m" + yellow = "\x1b[33;20m" + red = "\x1b[31;20m" + bold_red = "\x1b[31;1m" + reset = "\x1b[0m" + format = "[%(levelname)s]: %(message)s" + + FORMATS = { + logging.DEBUG: grey + format + reset, + logging.INFO: grey + format + reset, + logging.WARNING: yellow + format + reset, + logging.ERROR: red + format + reset, + logging.CRITICAL: bold_red + format + reset + } + + def format(self, record): + log_fmt = self.FORMATS.get(record.levelno) + formatter = logging.Formatter(log_fmt) + return formatter.format(record) + class KayobeApp(App): @@ -33,6 +58,14 @@ def __init__(self): def initialize_app(self, argv): self.LOG.debug('initialize_app') + def configure_logging(self): + super().configure_logging() + root_logger = logging.getLogger('') + # Override log formatter + for handler in root_logger.handlers: + if isinstance(handler, logging.StreamHandler): + handler.setFormatter(CustomFormatter()) + def prepare_to_run_command(self, cmd): self.LOG.debug('prepare_to_run_command %s', cmd.__class__.__name__) diff --git a/kayobe/kolla_ansible.py b/kayobe/kolla_ansible.py index 7b5c990c9..7304fe82d 100644 --- a/kayobe/kolla_ansible.py +++ b/kayobe/kolla_ansible.py @@ -54,16 +54,20 @@ def add_args(parser): "Kolla Ansible" % (CONFIG_PATH_ENV, DEFAULT_CONFIG_PATH), action='append') + # TODO(mattcrees): Remove kl, kt, and kolla-skip-tags in 2026.2. parser.add_argument("-kl", "--kolla-limit", metavar="SUBSET", - help="further limit selected hosts to an additional " + help="[DEPRECATED: Please use -l or --limit instead] " + "further limit selected hosts to an additional " "pattern") parser.add_argument("-kp", "--kolla-playbook", metavar="PLAYBOOK", help="path to Ansible playbook file") parser.add_argument("--kolla-skip-tags", metavar="TAGS", - help="only run plays and tasks whose tags do not " - "match these values in Kolla Ansible") + help="[DEPRECATED: Please use -skip-tags instead] " + "only run plays and tasks whose tags " + "do not match these values in Kolla Ansible") parser.add_argument("-kt", "--kolla-tags", metavar="TAGS", - help="only run plays and tasks tagged with these " + help="[DEPRECATED: Please use -t or --tags instead] " + "only run plays and tasks tagged with these " "values in Kolla Ansible") parser.add_argument("--kolla-venv", metavar="VENV", default=default_venv, help="path to virtualenv where Kolla Ansible is " @@ -162,13 +166,17 @@ def build_args(parsed_args, command, inventory_filename, extra_vars=None, # Quote and escape variables originating within the python CLI. extra_var_value = utils.quote_and_escape(extra_var_value) cmd += ["-e", "%s=%s" % (extra_var_name, extra_var_value)] - if parsed_args.kolla_limit or limit: - limit_arg = utils.intersect_limits(parsed_args.kolla_limit, limit) + if parsed_args.limit or parsed_args.kolla_limit or limit: + limit_arg = utils.intersect_limits(parsed_args.limit, limit) + limit_arg = utils.intersect_limits(parsed_args.kolla_limit, limit_arg) cmd += ["--limit", utils.quote_and_escape(limit_arg)] - if parsed_args.kolla_skip_tags: - cmd += ["--skip-tags", parsed_args.kolla_skip_tags] - if parsed_args.kolla_tags or tags: - all_tags = [t for t in [parsed_args.kolla_tags, tags] if t] + if parsed_args.skip_tags or parsed_args.kolla_skip_tags: + all_tags = [t for t in [parsed_args.skip_tags, + parsed_args.kolla_skip_tags] if t] + cmd += ["--skip-tags", ",".join(all_tags)] + if parsed_args.tags or parsed_args.kolla_tags or tags: + all_tags = [t for t in [parsed_args.tags, parsed_args.kolla_tags, + tags] if t] cmd += ["--tags", ",".join(all_tags)] if parsed_args.list_tasks: cmd += ["--list-tasks"] diff --git a/kayobe/tests/unit/test_ansible.py b/kayobe/tests/unit/test_ansible.py index 00600287d..10352dd25 100644 --- a/kayobe/tests/unit/test_ansible.py +++ b/kayobe/tests/unit/test_ansible.py @@ -222,7 +222,7 @@ def test_run_playbooks_all_the_args(self, mock_validate, mock_vars, "--check", "--diff", "--limit", "group1:host", - "--tags", "tag1,tag2", + "--tags", "tag1,tag2,kayobe-generate-config", "playbook1.yml", "playbook2.yml", ] @@ -300,7 +300,7 @@ def test_run_playbooks_all_the_long_args(self, mock_ask, mock_validate, "--diff", "--limit", "group1:host1", "--skip-tags", "tag3,tag4", - "--tags", "tag1,tag2", + "--tags", "tag1,tag2,kayobe-generate-config", "playbook1.yml", "playbook2.yml", ] @@ -450,7 +450,7 @@ def test_run_playbooks_func_args(self, mock_validate, mock_vars, mock_run): "--check", "--diff", "--limit", "group1:host1:&group2:host2", - "--tags", "tag1,tag2,tag3,tag4", + "--tags", "tag1,tag2,tag3,tag4,kayobe-generate-config", "playbook1.yml", "playbook2.yml", ] diff --git a/kayobe/tests/unit/test_kolla_ansible.py b/kayobe/tests/unit/test_kolla_ansible.py index 68ddab221..d74e753b8 100644 --- a/kayobe/tests/unit/test_kolla_ansible.py +++ b/kayobe/tests/unit/test_kolla_ansible.py @@ -61,8 +61,8 @@ def test_run_all_the_args(self, mock_validate, mock_run): "--kolla-config-path", "/path/to/config", "-ke", "ev_name1=ev_value1", "-ki", "/path/to/inventory", - "-kl", "host1:host2", - "-kt", "tag1,tag2", + "-l", "host1:host2", + "-t", "tag1,tag2", "-kp", "/path/to/playbook", ] parsed_args = parser.parse_args(args) @@ -100,9 +100,9 @@ def test_run_all_the_long_args(self, mock_ask, mock_validate, mock_run): "--kolla-config-path", "/path/to/config", "--kolla-extra-vars", "ev_name1=ev_value1", "--kolla-inventory", "/path/to/inventory", - "--kolla-limit", "host1:host2", - "--kolla-skip-tags", "tag3,tag4", - "--kolla-tags", "tag1,tag2", + "--limit", "host1:host2", + "--skip-tags", "tag3,tag4", + "--tags", "tag1,tag2", "--kolla-playbook", "/path/to/playbook", ] parsed_args = parser.parse_args(args) @@ -194,7 +194,7 @@ def test_run_func_args(self, mock_validate, mock_run): vault.add_args(parser) args = [ "--kolla-extra-vars", "ev_name1=ev_value1", - "--kolla-tags", "tag1,tag2", + "--tags", "tag1,tag2", ] parsed_args = parser.parse_args(args) kwargs = { diff --git a/releasenotes/notes/drop-kolla-tags-and-kolla-limits-254faef5584176e1.yaml b/releasenotes/notes/drop-kolla-tags-and-kolla-limits-254faef5584176e1.yaml new file mode 100644 index 000000000..854451fbd --- /dev/null +++ b/releasenotes/notes/drop-kolla-tags-and-kolla-limits-254faef5584176e1.yaml @@ -0,0 +1,22 @@ +--- +features: + - | + Added the tag ``bifrost`` to ``kolla-bifrost.yml`` so that we can easily + limit to Bifrost in ``kayobe seed service deploy``. + - | + Removed the options ``--kolla-tags`` and ``kolla-limit`` from all commands. + Regular ``--tags`` and ``--limit`` will now be passed directly to the + Kolla-Ansible invocations. Added the tag ``kayobe-generate-config`` to + ``kolla-ansible.yml`` and ``kolla-openstack.yml``. This tag is now always + called, to allow for limiting to OpenStack services with just one tag, e.g. + ``kayobe overcloud service deploy -t nova`. You can still skip this with + ``--skip-tags kayobe-generate-config``. +upgrade: + - | + Removed the options ``--kolla-tags`` and ``kolla-limit`` from all commands. + Regular ``--tags`` and ``--limit`` will now be passed directly to the + Kolla-Ansible invocations. Added the tag ``kayobe-generate-config`` to + ``kolla-ansible.yml`` and ``kolla-openstack.yml``. This tag is now always + called, to allow for limiting to OpenStack services with just one tag, e.g. + ``kayobe overcloud service deploy -t nova`. You can still skip this with + ``--skip-tags kayobe-generate-config``. From bf8bd3403be7f694eadf9773aedfb02bbfbf8d0b Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Tue, 17 Mar 2026 18:24:12 +0100 Subject: [PATCH 09/10] CI: Bump ansible-lint to 26.x Change-Id: I5f20b51346eb58d4a5cbf921b5387beb1056b24e Signed-off-by: Pierre Riteau --- test-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test-requirements.txt b/test-requirements.txt index f5270c8d3..0f57abc8e 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -2,7 +2,7 @@ # of appearance. Changing the order has an impact on the overall integration # process, which may cause wedges in the gate later. -ansible-lint>=25.0.0,<26.0.0 # MIT +ansible-lint>=26.0.0,<27.0.0 # MIT bandit>=1.1.0 # Apache-2.0 bashate>=0.2 # Apache-2.0 coverage>=4.0 # Apache-2.0 From 69e977e25d1d451489c20a1d071bc9170ba96356 Mon Sep 17 00:00:00 2001 From: Leonie Chamberlin-Medd Date: Mon, 12 Jan 2026 13:03:24 +0000 Subject: [PATCH 10/10] Add support for fail2ban in Kayobe Adds support for installing and configuring fail2ban in Kayobe using the robertdebock.fail2ban Ansible role https://galaxy.ansible.com/ui/standalone/roles/robertdebock/fail2ban/ Change-Id: Ic484b2c4f6e261a5173ba8f5378258068f468fa2 Signed-off-by: Leonie Chamberlin-Medd --- ansible/control-host-configure.yml | 1 + ansible/fail2ban.yml | 17 ++++++++ ansible/infra-vm-host-configure.yml | 1 + .../inventory/group_vars/all/ansible-control | 20 ++++++++++ ansible/inventory/group_vars/all/compute | 20 ++++++++++ ansible/inventory/group_vars/all/controllers | 20 ++++++++++ ansible/inventory/group_vars/all/infra-vms | 20 ++++++++++ ansible/inventory/group_vars/all/monitoring | 20 ++++++++++ ansible/inventory/group_vars/all/seed | 20 ++++++++++ .../inventory/group_vars/all/seed-hypervisor | 20 ++++++++++ ansible/inventory/group_vars/all/storage | 20 ++++++++++ .../group_vars/ansible-control/fail2ban | 6 +++ ansible/inventory/group_vars/compute/fail2ban | 6 +++ .../inventory/group_vars/controllers/fail2ban | 6 +++ .../inventory/group_vars/infra-vms/fail2ban | 6 +++ .../inventory/group_vars/monitoring/fail2ban | 6 +++ .../group_vars/seed-hypervisor/fail2ban | 6 +++ ansible/inventory/group_vars/seed/fail2ban | 6 +++ ansible/inventory/group_vars/storage/fail2ban | 6 +++ ansible/overcloud-host-configure.yml | 1 + ansible/seed-host-configure.yml | 1 + ansible/seed-hypervisor-host-configure.yml | 1 + doc/source/configuration/reference/hosts.rst | 39 +++++++++++++++++++ etc/kayobe/ansible-control.yml | 15 +++++++ etc/kayobe/compute.yml | 15 +++++++ etc/kayobe/controllers.yml | 15 +++++++ etc/kayobe/infra-vms.yml | 15 +++++++ etc/kayobe/monitoring.yml | 15 +++++++ etc/kayobe/seed-hypervisor.yml | 15 +++++++ etc/kayobe/seed.yml | 15 +++++++ etc/kayobe/storage.yml | 15 +++++++ .../overrides.yml.j2 | 6 +++ .../tests/test_overcloud_host_configure.py | 10 +++++ .../support-fail2ban-b25a26d66cfbcaaf.yaml | 6 +++ requirements.yml | 2 + zuul.d/jobs.yaml | 4 ++ 36 files changed, 417 insertions(+) create mode 100644 ansible/fail2ban.yml create mode 100644 ansible/inventory/group_vars/ansible-control/fail2ban create mode 100644 ansible/inventory/group_vars/compute/fail2ban create mode 100644 ansible/inventory/group_vars/controllers/fail2ban create mode 100644 ansible/inventory/group_vars/infra-vms/fail2ban create mode 100644 ansible/inventory/group_vars/monitoring/fail2ban create mode 100644 ansible/inventory/group_vars/seed-hypervisor/fail2ban create mode 100644 ansible/inventory/group_vars/seed/fail2ban create mode 100644 ansible/inventory/group_vars/storage/fail2ban create mode 100644 releasenotes/notes/support-fail2ban-b25a26d66cfbcaaf.yaml diff --git a/ansible/control-host-configure.yml b/ansible/control-host-configure.yml index 996da2c68..fb58add50 100644 --- a/ansible/control-host-configure.yml +++ b/ansible/control-host-configure.yml @@ -13,6 +13,7 @@ - import_playbook: "selinux.yml" - import_playbook: "network.yml" - import_playbook: "firewall.yml" +- import_playbook: "fail2ban.yml" - import_playbook: "tuned.yml" - import_playbook: "sysctl.yml" - import_playbook: "time.yml" diff --git a/ansible/fail2ban.yml b/ansible/fail2ban.yml new file mode 100644 index 000000000..5f85f0a0e --- /dev/null +++ b/ansible/fail2ban.yml @@ -0,0 +1,17 @@ +--- +- name: Configure fail2ban + hosts: seed:seed-hypervisor:overcloud:infra-vms:ansible-control + max_fail_percentage: >- + {{ fail2ban_max_fail_percentage | + default(host_configure_max_fail_percentage) | + default(kayobe_max_fail_percentage) | + default(100) }} + tags: + - fail2ban + roles: + - role: robertdebock.fail2ban + become: true + when: fail2ban_enabled | bool + vars: + # TODO (L-Chams): Remove fail2ban_sender override when PR https://github.com/robertdebock/ansible-role-fail2ban/pull/18 is merged. + fail2ban_sender: root@{{ ansible_facts.fqdn }} diff --git a/ansible/infra-vm-host-configure.yml b/ansible/infra-vm-host-configure.yml index 644c7f03a..2d1595074 100644 --- a/ansible/infra-vm-host-configure.yml +++ b/ansible/infra-vm-host-configure.yml @@ -13,6 +13,7 @@ - import_playbook: "selinux.yml" - import_playbook: "network.yml" - import_playbook: "firewall.yml" +- import_playbook: "fail2ban.yml" - import_playbook: "tuned.yml" - import_playbook: "sysctl.yml" - import_playbook: "disable-glean.yml" diff --git a/ansible/inventory/group_vars/all/ansible-control b/ansible/inventory/group_vars/all/ansible-control index 0f9f555c0..635024df0 100644 --- a/ansible/inventory/group_vars/all/ansible-control +++ b/ansible/inventory/group_vars/all/ansible-control @@ -126,6 +126,26 @@ ansible_control_firewalld_default_zone: # - state: enabled ansible_control_firewalld_rules: [] +############################################################################### +# Ansible control host fail2ban configuration. + +# Whether to install and enable fail2ban. Default is false. +ansible_control_fail2ban_enabled: false + +# List of fail2ban jails for the Ansible control host. +ansible_control_fail2ban_jail_configuration: >- + {{ ansible_control_fail2ban_jail_configuration_default + + ansible_control_fail2ban_jail_configuration_extra }} + +# List of default fail2ban jails for the Ansible control host. +ansible_control_fail2ban_jail_configuration_default: + - option: enabled + value: "true" + section: sshd + +# List of extra fail2ban jails for the Ansible control host. +ansible_control_fail2ban_jail_configuration_extra: [] + ############################################################################### # Ansible control host swap configuration. diff --git a/ansible/inventory/group_vars/all/compute b/ansible/inventory/group_vars/all/compute index 1803098cc..99fb9dc3c 100644 --- a/ansible/inventory/group_vars/all/compute +++ b/ansible/inventory/group_vars/all/compute @@ -185,6 +185,26 @@ compute_firewalld_default_zone: # - state: enabled compute_firewalld_rules: [] +############################################################################### +# Compute node fail2ban configuration. + +# Whether to install and enable fail2ban. +compute_fail2ban_enabled: false + +# List of fail2ban jails for the compute node. +compute_fail2ban_jail_configuration: >- + {{ compute_fail2ban_jail_configuration_default + + compute_fail2ban_jail_configuration_extra }} + +# List of default fail2ban jails for the compute node. +compute_fail2ban_jail_configuration_default: + - option: enabled + value: "true" + section: sshd + +# List of extra fail2ban jails for the compute node. +compute_fail2ban_jail_configuration_extra: [] + ############################################################################### # Compute node host libvirt configuration. diff --git a/ansible/inventory/group_vars/all/controllers b/ansible/inventory/group_vars/all/controllers index a7b2097bd..f8be1616a 100644 --- a/ansible/inventory/group_vars/all/controllers +++ b/ansible/inventory/group_vars/all/controllers @@ -224,6 +224,26 @@ controller_firewalld_default_zone: # - state: enabled controller_firewalld_rules: [] +############################################################################### +# Controller node fail2ban configuration. + +# Whether to install and enable fail2ban. +controller_fail2ban_enabled: false + +# List of fail2ban jails for the controller node. +controller_fail2ban_jail_configuration: >- + {{ controller_fail2ban_jail_configuration_default + + controller_fail2ban_jail_configuration_extra }} + +# List of default fail2ban jails for the controller node. +controller_fail2ban_jail_configuration_default: + - option: enabled + value: "true" + section: sshd + +# List of extra fail2ban jails for the controller node. +controller_fail2ban_jail_configuration_extra: [] + ############################################################################### # Controller node swap configuration. diff --git a/ansible/inventory/group_vars/all/infra-vms b/ansible/inventory/group_vars/all/infra-vms index 58b91b97a..df0b8bcaa 100644 --- a/ansible/inventory/group_vars/all/infra-vms +++ b/ansible/inventory/group_vars/all/infra-vms @@ -230,6 +230,26 @@ infra_vm_firewalld_default_zone: # - state: enabled infra_vm_firewalld_rules: [] +############################################################################### +# Infrastructure VM node fail2ban configuration. + +# Whether to install and enable fail2ban. +infra_vm_fail2ban_enabled: false + +# List of fail2ban jails for the infrastructure VM node. +infra_vm_fail2ban_jail_configuration: >- + {{ infra_vm_fail2ban_jail_configuration_default + + infra_vm_fail2ban_jail_configuration_extra }} + +# List of default fail2ban jails for the infrastructure VM node. +infra_vm_fail2ban_jail_configuration_default: + - option: enabled + value: "true" + section: sshd + +# List of extra fail2ban jails for the infrastructure VM node. +infra_vm_fail2ban_jail_configuration_extra: [] + ############################################################################### # Infrastructure VM node swap configuration. diff --git a/ansible/inventory/group_vars/all/monitoring b/ansible/inventory/group_vars/all/monitoring index ee1fa4ebc..61492f2b2 100644 --- a/ansible/inventory/group_vars/all/monitoring +++ b/ansible/inventory/group_vars/all/monitoring @@ -124,6 +124,26 @@ monitoring_firewalld_default_zone: "{{ controller_firewalld_default_zone }}" # - state: enabled monitoring_firewalld_rules: "{{ controller_firewalld_rules }}" +############################################################################### +# Monitoring node fail2ban configuration. + +# Whether to install and enable fail2ban. +monitoring_fail2ban_enabled: false + +# List of fail2ban jails for the monitoring node. +monitoring_fail2ban_jail_configuration: >- + {{ monitoring_fail2ban_jail_configuration_default + + monitoring_fail2ban_jail_configuration_extra }} + +# List of default fail2ban jails for the monitoring node. +monitoring_fail2ban_jail_configuration_default: + - option: enabled + value: "true" + section: sshd + +# List of extra fail2ban jails for the monitoring node. +monitoring_fail2ban_jail_configuration_extra: [] + ############################################################################### # Monitoring node swap configuration. diff --git a/ansible/inventory/group_vars/all/seed b/ansible/inventory/group_vars/all/seed index 37d4497d9..22c0bc6d4 100644 --- a/ansible/inventory/group_vars/all/seed +++ b/ansible/inventory/group_vars/all/seed @@ -169,6 +169,26 @@ seed_firewalld_default_zone: # - state: enabled seed_firewalld_rules: [] +############################################################################### +# Seed node fail2ban configuration. + +# Whether to install and enable fail2ban. +seed_fail2ban_enabled: false + +# List of fail2ban jails for the seed node. +seed_fail2ban_jail_configuration: >- + {{ seed_fail2ban_jail_configuration_default + + seed_fail2ban_jail_configuration_extra }} + +# List of default fail2ban jails for the seed node. +seed_fail2ban_jail_configuration_default: + - option: enabled + value: "true" + section: sshd + +# List of extra fail2ban jails for the seed node. +seed_fail2ban_jail_configuration_extra: [] + ############################################################################### # Seed node swap configuration. diff --git a/ansible/inventory/group_vars/all/seed-hypervisor b/ansible/inventory/group_vars/all/seed-hypervisor index 80fe27851..47c64b3f7 100644 --- a/ansible/inventory/group_vars/all/seed-hypervisor +++ b/ansible/inventory/group_vars/all/seed-hypervisor @@ -162,6 +162,26 @@ seed_hypervisor_firewalld_default_zone: # - state: enabled seed_hypervisor_firewalld_rules: [] +############################################################################### +# Seed hypervisor node fail2ban configuration. + +# Whether to install and enable fail2ban. +seed_hypervisor_fail2ban_enabled: false + +# List of fail2ban jails for the seed hypervisor node. +seed_hypervisor_fail2ban_jail_configuration: >- + {{ seed_hypervisor_fail2ban_jail_configuration_default + + seed_hypervisor_fail2ban_jail_configuration_extra }} + +# List of default fail2ban jails for the seed hypervisor node. +seed_hypervisor_fail2ban_jail_configuration_default: + - option: enabled + value: "true" + section: sshd + +# List of extra fail2ban jails for the seed hypervisor node. +seed_hypervisor_fail2ban_jail_configuration_extra: [] + ############################################################################### # Seed hypervisor node swap configuration. diff --git a/ansible/inventory/group_vars/all/storage b/ansible/inventory/group_vars/all/storage index 429c0e816..46ea4bc79 100644 --- a/ansible/inventory/group_vars/all/storage +++ b/ansible/inventory/group_vars/all/storage @@ -173,6 +173,26 @@ storage_firewalld_default_zone: # - state: enabled storage_firewalld_rules: [] +############################################################################### +# Storage node fail2ban configuration. + +# Whether to install and enable fail2ban. +storage_fail2ban_enabled: false + +# List of fail2ban jails for the storage node. +storage_fail2ban_jail_configuration: >- + {{ storage_fail2ban_jail_configuration_default + + storage_fail2ban_jail_configuration_extra }} + +# List of default fail2ban jails for the storage node. +storage_fail2ban_jail_configuration_default: + - option: enabled + value: "true" + section: sshd + +# List of extra fail2ban jails for the storage node. +storage_fail2ban_jail_configuration_extra: [] + ############################################################################### # Storage node swap configuration. diff --git a/ansible/inventory/group_vars/ansible-control/fail2ban b/ansible/inventory/group_vars/ansible-control/fail2ban new file mode 100644 index 000000000..d3b3e149b --- /dev/null +++ b/ansible/inventory/group_vars/ansible-control/fail2ban @@ -0,0 +1,6 @@ +--- +# Whether to install and enable fail2ban +fail2ban_enabled: "{{ ansible_control_fail2ban_enabled }}" + +# List of fail2ban jails for the Ansible control host. +fail2ban_jail_configuration: "{{ ansible_control_fail2ban_jail_configuration }}" diff --git a/ansible/inventory/group_vars/compute/fail2ban b/ansible/inventory/group_vars/compute/fail2ban new file mode 100644 index 000000000..bef1836ec --- /dev/null +++ b/ansible/inventory/group_vars/compute/fail2ban @@ -0,0 +1,6 @@ +--- +# Whether to install and enable fail2ban +fail2ban_enabled: "{{ compute_fail2ban_enabled }}" + +# List of fail2ban jails for the compute node. +fail2ban_jail_configuration: "{{ compute_fail2ban_jail_configuration }}" diff --git a/ansible/inventory/group_vars/controllers/fail2ban b/ansible/inventory/group_vars/controllers/fail2ban new file mode 100644 index 000000000..72693b64a --- /dev/null +++ b/ansible/inventory/group_vars/controllers/fail2ban @@ -0,0 +1,6 @@ +--- +# Whether to install and enable fail2ban +fail2ban_enabled: "{{ controller_fail2ban_enabled }}" + +# List of fail2ban jails for the controller node. +fail2ban_jail_configuration: "{{ controller_fail2ban_jail_configuration }}" diff --git a/ansible/inventory/group_vars/infra-vms/fail2ban b/ansible/inventory/group_vars/infra-vms/fail2ban new file mode 100644 index 000000000..f1e6f2a4a --- /dev/null +++ b/ansible/inventory/group_vars/infra-vms/fail2ban @@ -0,0 +1,6 @@ +--- +# Whether to install and enable fail2ban +fail2ban_enabled: "{{ infra_vm_fail2ban_enabled }}" + +# List of fail2ban jails for the infrastructure VM node. +fail2ban_jail_configuration: "{{ infra_vm_fail2ban_jail_configuration }}" diff --git a/ansible/inventory/group_vars/monitoring/fail2ban b/ansible/inventory/group_vars/monitoring/fail2ban new file mode 100644 index 000000000..9160d962f --- /dev/null +++ b/ansible/inventory/group_vars/monitoring/fail2ban @@ -0,0 +1,6 @@ +--- +# Whether to install and enable fail2ban +fail2ban_enabled: "{{ monitoring_fail2ban_enabled }}" + +# List of fail2ban jails for the monitoring node. +fail2ban_jail_configuration: "{{ monitoring_fail2ban_jail_configuration }}" diff --git a/ansible/inventory/group_vars/seed-hypervisor/fail2ban b/ansible/inventory/group_vars/seed-hypervisor/fail2ban new file mode 100644 index 000000000..f1106c883 --- /dev/null +++ b/ansible/inventory/group_vars/seed-hypervisor/fail2ban @@ -0,0 +1,6 @@ +--- +# Whether to install and enable fail2ban +fail2ban_enabled: "{{ seed_hypervisor_fail2ban_enabled }}" + +# List of fail2ban jails for the seed hypervisor node. +fail2ban_jail_configuration: "{{ seed_hypervisor_fail2ban_jail_configuration }}" diff --git a/ansible/inventory/group_vars/seed/fail2ban b/ansible/inventory/group_vars/seed/fail2ban new file mode 100644 index 000000000..dcdf156f9 --- /dev/null +++ b/ansible/inventory/group_vars/seed/fail2ban @@ -0,0 +1,6 @@ +--- +# Whether to install and enable fail2ban +fail2ban_enabled: "{{ seed_fail2ban_enabled }}" + +# List of fail2ban jails for the seed node. +fail2ban_jail_configuration: "{{ seed_fail2ban_jail_configuration }}" diff --git a/ansible/inventory/group_vars/storage/fail2ban b/ansible/inventory/group_vars/storage/fail2ban new file mode 100644 index 000000000..024920388 --- /dev/null +++ b/ansible/inventory/group_vars/storage/fail2ban @@ -0,0 +1,6 @@ +--- +# Whether to install and enable fail2ban +fail2ban_enabled: "{{ storage_fail2ban_enabled }}" + +# List of fail2ban jails for the storage node. +fail2ban_jail_configuration: "{{ storage_fail2ban_jail_configuration }}" diff --git a/ansible/overcloud-host-configure.yml b/ansible/overcloud-host-configure.yml index fff5bc398..a6cdf4d8b 100644 --- a/ansible/overcloud-host-configure.yml +++ b/ansible/overcloud-host-configure.yml @@ -13,6 +13,7 @@ - import_playbook: "selinux.yml" - import_playbook: "network.yml" - import_playbook: "firewall.yml" +- import_playbook: "fail2ban.yml" - import_playbook: "etc-hosts.yml" - import_playbook: "tuned.yml" - import_playbook: "sysctl.yml" diff --git a/ansible/seed-host-configure.yml b/ansible/seed-host-configure.yml index 00c7eed6c..25b0dcc16 100644 --- a/ansible/seed-host-configure.yml +++ b/ansible/seed-host-configure.yml @@ -13,6 +13,7 @@ - import_playbook: "selinux.yml" - import_playbook: "network.yml" - import_playbook: "firewall.yml" +- import_playbook: "fail2ban.yml" - import_playbook: "tuned.yml" - import_playbook: "sysctl.yml" - import_playbook: "ip-routing.yml" diff --git a/ansible/seed-hypervisor-host-configure.yml b/ansible/seed-hypervisor-host-configure.yml index a91f5781a..56f240848 100644 --- a/ansible/seed-hypervisor-host-configure.yml +++ b/ansible/seed-hypervisor-host-configure.yml @@ -13,6 +13,7 @@ - import_playbook: "selinux.yml" - import_playbook: "network.yml" - import_playbook: "firewall.yml" +- import_playbook: "fail2ban.yml" - import_playbook: "tuned.yml" - import_playbook: "sysctl.yml" - import_playbook: "ip-routing.yml" diff --git a/doc/source/configuration/reference/hosts.rst b/doc/source/configuration/reference/hosts.rst index b0ed019a3..da2a1467f 100644 --- a/doc/source/configuration/reference/hosts.rst +++ b/doc/source/configuration/reference/hosts.rst @@ -691,6 +691,45 @@ follows: Note that despite the name, this will not actively enable UFW. It may do so in the future. +Fail2Ban +======== +@tags: + | ``fail2ban`` + +Fail2Ban can be used to ban IP addresses that show malicious signs, such as +ones that conduct too many failed login attempts. Kayobe can install and configure +Fail2Ban on hosts. + +In order to use fail2ban, it is important to note that the user should enable +``dnf_install_epel`` in their configuration when using Rocky Linux or CentOS. + +The following variables can be used to set whether to enable fail2ban: + +* ``ansible_control_fail2ban_enabled`` +* ``seed_hypervisor_fail2ban_enabled`` +* ``seed_fail2ban_enabled`` +* ``infra_vm_fail2ban_enabled`` +* ``compute_fail2ban_enabled`` +* ``controller_fail2ban_enabled`` +* ``monitoring_fail2ban_enabled`` +* ``storage_fail2ban_enabled`` + +The following example demonstrates how to enable fail2ban on controllers. + +.. code-block:: yaml + + controller_fail2ban_enabled: true + +The following should be added in the configuration file to set the default +fail2ban sshd jail: + +.. code-block:: yaml + + fail2ban_jail_configuration: + - option: enabled + value: "true" + section: sshd + .. _configuration-hosts-tuned: Tuned diff --git a/etc/kayobe/ansible-control.yml b/etc/kayobe/ansible-control.yml index cd6b563d5..5232d4470 100644 --- a/etc/kayobe/ansible-control.yml +++ b/etc/kayobe/ansible-control.yml @@ -111,6 +111,21 @@ # - state: enabled #ansible_control_firewalld_rules: +############################################################################### +# Ansible control host fail2ban configuration. + +# Whether to install and enable fail2ban. +#ansible_control_fail2ban_enabled: + +# List of fail2ban jails for the Ansible control host. +#ansible_control_fail2ban_jail_configuration: + +# List of default fail2ban jails for the Ansible control host. +#ansible_control_fail2ban_jail_configuration_default: + +# List of extra fail2ban jails for the Ansible control host. +#ansible_control_fail2ban_jail_configuration_extra: + ############################################################################### # Ansible control host swap configuration. diff --git a/etc/kayobe/compute.yml b/etc/kayobe/compute.yml index f8a7deb29..5240624f1 100644 --- a/etc/kayobe/compute.yml +++ b/etc/kayobe/compute.yml @@ -159,6 +159,21 @@ # - state: enabled #compute_firewalld_rules: +############################################################################### +# Compute node fail2ban configuration. + +# Whether to install and enable fail2ban. +#compute_fail2ban_enabled: + +# List of fail2ban jails for the compute node. +#compute_fail2ban_jail_configuration: + +# List of default fail2ban jails for the compute node. +#compute_fail2ban_jail_configuration_default: + +# List of extra fail2ban jails for the compute node. +#compute_fail2ban_jail_configuration_extra: + ############################################################################### # Compute node host libvirt configuration. diff --git a/etc/kayobe/controllers.yml b/etc/kayobe/controllers.yml index 1cc50c30b..7dd3199f2 100644 --- a/etc/kayobe/controllers.yml +++ b/etc/kayobe/controllers.yml @@ -185,6 +185,21 @@ # - state: enabled #controller_firewalld_rules: +############################################################################### +# Controller node fail2ban configuration. + +# Whether to install and enable fail2ban. +#controller_fail2ban_enabled: + +# List of fail2ban jails for the controller node. +#controller_fail2ban_jail_configuration: + +# List of default fail2ban jails for the controller node. +#controller_fail2ban_jail_configuration_default: + +# List of extra fail2ban jails for the controller node. +#controller_fail2ban_jail_configuration_extra: + ############################################################################### # Controller node swap configuration. diff --git a/etc/kayobe/infra-vms.yml b/etc/kayobe/infra-vms.yml index 59147aac7..50362e59d 100644 --- a/etc/kayobe/infra-vms.yml +++ b/etc/kayobe/infra-vms.yml @@ -188,6 +188,21 @@ # - state: enabled #infra_vm_firewalld_rules: +############################################################################### +# Infrastructure VM node fail2ban configuration. + +# Whether to install and enable fail2ban. +#infra_vm_fail2ban_enabled: + +# List of fail2ban jails for the infrastructure VM node. +#infra_vm_fail2ban_jail_configuration: + +# List of default fail2ban jails for the infrastructure VM node. +#infra_vm_fail2ban_jail_configuration_default: + +# List of extra fail2ban jails for the infrastructure VM node. +#infra_vm_fail2ban_jail_configuration_extra: + ############################################################################### # Infrastructure VM node swap configuration. diff --git a/etc/kayobe/monitoring.yml b/etc/kayobe/monitoring.yml index 8c63bd589..463b3090b 100644 --- a/etc/kayobe/monitoring.yml +++ b/etc/kayobe/monitoring.yml @@ -117,6 +117,21 @@ # - state: enabled #monitoring_firewalld_rules: +############################################################################### +# Monitoring node fail2ban configuration. + +# Whether to install and enable fail2ban. +#monitoring_fail2ban_enabled: + +# List of fail2ban jails for the monitoring node. +#monitoring_fail2ban_jail_configuration: + +# List of default fail2ban jails for the monitoring node. +#monitoring_fail2ban_jail_configuration_default: + +# List of extra fail2ban jails for the monitoring node. +#monitoring_fail2ban_jail_configuration_extra: + ############################################################################### # Monitoring node swap configuration. diff --git a/etc/kayobe/seed-hypervisor.yml b/etc/kayobe/seed-hypervisor.yml index 5905eefe0..8a063703b 100644 --- a/etc/kayobe/seed-hypervisor.yml +++ b/etc/kayobe/seed-hypervisor.yml @@ -136,6 +136,21 @@ # - state: enabled #seed_hypervisor_firewalld_rules: +############################################################################### +# Seed hypervisor node fail2ban configuration. + +# Whether to install and enable fail2ban. +#seed_hypervisor_fail2ban_enabled: + +# List of fail2ban jails for the seed hypervisor node. +#seed_hypervisor_fail2ban_jail_configuration: + +# List of default fail2ban jails for the seed hypervisor node. +#seed_hypervisor_fail2ban_jail_configuration_default: + +# List of extra fail2ban jails for the seed hypervisor node. +#seed_hypervisor_fail2ban_jail_configuration_extra: + ############################################################################### # Seed hypervisor node swap configuration. diff --git a/etc/kayobe/seed.yml b/etc/kayobe/seed.yml index 7a335ea2f..46f1cddc6 100644 --- a/etc/kayobe/seed.yml +++ b/etc/kayobe/seed.yml @@ -143,6 +143,21 @@ # - state: enabled #seed_firewalld_rules: +############################################################################### +# Seed node fail2ban configuration. + +# Whether to install and enable fail2ban. +#seed_fail2ban_enabled: + +# List of fail2ban jails for the seed node. +#seed_fail2ban_jail_configuration: + +# List of default fail2ban jails for the seed node. +#seed_fail2ban_jail_configuration_default: + +# List of extra fail2ban jails for the seed node. +#seed_fail2ban_jail_configuration_extra: + ############################################################################### # Seed node swap configuration. diff --git a/etc/kayobe/storage.yml b/etc/kayobe/storage.yml index 170ed2ab2..53376b4ef 100644 --- a/etc/kayobe/storage.yml +++ b/etc/kayobe/storage.yml @@ -147,6 +147,21 @@ # - state: enabled #storage_firewalld_rules: +############################################################################### +# Storage node fail2ban configuration. + +# Whether to install and enable fail2ban. +#storage_fail2ban_enabled: + +# List of fail2ban jails for the storage node. +#storage_fail2ban_jail_configuration: + +# List of default fail2ban jails for the storage node. +#storage_fail2ban_jail_configuration_default: + +# List of extra fail2ban jails for the storage node. +#storage_fail2ban_jail_configuration_extra: + ############################################################################### # Storage node swap configuration. diff --git a/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 index d2e75f779..06933a1d0 100644 --- a/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 +++ b/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 @@ -212,3 +212,9 @@ controller_swap: # Generate a password for libvirt SASL authentication. compute_libvirt_sasl_password: "{% raw %}{{ lookup('password', '/tmp/libvirt-sasl-password') }}{% endraw %}" + +# Test fail2ban configuration +{% if fail2ban_enabled | bool %} +dnf_use_local_mirror: true +controller_fail2ban_enabled: true +{% endif %} diff --git a/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py b/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py index 442e39f80..f8e394909 100644 --- a/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py +++ b/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py @@ -344,6 +344,16 @@ def test_firewalld_rules(host): assert expected_line in info assert expected_line in perm_info +def test_fail2ban_running(host): + assert host.package("fail2ban").is_installed + assert host.service("fail2ban.service").is_enabled + assert host.service("fail2ban.service").is_running + +def test_fail2ban_default_jail_config(host): + # verify that sshd jail is enabled by default + status = host.check_output("sudo fail2ban-client status sshd") + status = status.splitlines() + assert "Status for the jail: sshd" in status @pytest.mark.skipif(not _is_dnf(), reason="SELinux only supported on CentOS/Rocky") diff --git a/releasenotes/notes/support-fail2ban-b25a26d66cfbcaaf.yaml b/releasenotes/notes/support-fail2ban-b25a26d66cfbcaaf.yaml new file mode 100644 index 000000000..975239e50 --- /dev/null +++ b/releasenotes/notes/support-fail2ban-b25a26d66cfbcaaf.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Adds support for installing and configuring fail2ban. See the docs + http://docs.openstack.org/kayobe/latest/configuration/reference/hosts.html#fail2ban + for more information. diff --git a/requirements.yml b/requirements.yml index e0aa67977..4e2cb7182 100644 --- a/requirements.yml +++ b/requirements.yml @@ -40,6 +40,8 @@ roles: version: v0.2.13 - src: mrlesmithjr.mdadm version: v0.1.9 + - src: robertdebock.fail2ban + version: 5.0.6 - src: singleplatform-eng.users version: v1.2.6 - src: stackhpc.drac diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index ed98ae2dc..08a4328ee 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -313,11 +313,15 @@ name: kayobe-overcloud-host-configure-rocky10 parent: kayobe-overcloud-host-configure-base nodeset: kayobe-rocky10 + vars: + fail2ban_enabled: true - job: name: kayobe-overcloud-host-configure-ubuntu-noble parent: kayobe-overcloud-host-configure-base nodeset: kayobe-ubuntu-noble + vars: + fail2ban_enabled: true - job: name: kayobe-seed-upgrade-base