stackhpc · Alex-Welsh · Mar 23, 2026 · Mar 2, 2026 · Mar 3, 2026 · Jan 29, 2026
@@ -54,16 +54,16 @@
 
     - name: Rename baremetal compute nodes
       command: >
-        {{ venv }}/bin/openstack baremetal node set --name "{{ inventory_hostname }}" "{{ node['UUID'] }}"
+        {{ venv }}/bin/openstack baremetal node set --name "{{ inventory_hostname }}" "{{ node['uuid'] }}"
       delegate_to: "{{ controller_host }}"
       environment: "{{ openstack_auth_env }}"
       vars:
         # NOTE: Without this, the controller's ansible_host variable will not
         # be respected when using delegate_to.
         ansible_host: "{{ hostvars[controller_host].ansible_host | default(controller_host) }}"
         ipmi_address: "{{ hostvars[inventory_hostname].ipmi_address }}"
-        matching_nodes: "{{ (nodes.stdout | from_json) | selectattr('Driver Info.ipmi_address', 'defined') | selectattr('Driver Info.ipmi_address', 'equalto', ipmi_address) | list }}"
+        matching_nodes: "{{ (nodes.stdout | from_json) | selectattr('driver_info.ipmi_address', 'defined') | selectattr('driver_info.ipmi_address', 'equalto', ipmi_address) | list }}"
         node: "{{ matching_nodes | first }}"
       when:
         - matching_nodes | length > 0
-        - node['Name'] != inventory_hostname
+        - node['name'] != inventory_hostname
@@ -79,11 +79,11 @@
           fail:
             msg: >-
               In order to use the serial console you must set the console_interface to ipmitool-socat.
-          when: node["Console Interface"] != "ipmitool-socat"
+          when: node["console_interface"] != "ipmitool-socat"
 
         - name: Set IPMI serial console terminal port
           vars:
-            name: "{{ node['Name'] }}"
+            name: "{{ node['name'] }}"
             port: "{{ hostvars[controller_host].console_allocation_result.ports[name] }}"
             # NOTE: Without this, the controller's ansible_host variable will not
             # be respected when using delegate_to.
@@ -93,23 +93,23 @@
           delegate_to: "{{ controller_host }}"
           environment: "{{ openstack_auth_env }}"
           when: >-
-            node['Driver Info'].ipmi_terminal_port is not defined or
-            node['Driver Info'].ipmi_terminal_port | int != port | int
+            node['driver_info'].ipmi_terminal_port is not defined or
+            node['driver_info'].ipmi_terminal_port | int != port | int
 
         - name: Enable the IPMI socat serial console
           vars:
             # NOTE: Without this, the controller's ansible_host variable will not
             # be respected when using delegate_to.
             ansible_host: "{{ hostvars[controller_host].ansible_host | default(controller_host) }}"
           command: >
-            {{ venv }}/bin/openstack baremetal node console enable {{ node['Name'] }}
+            {{ venv }}/bin/openstack baremetal node console enable {{ node['name'] }}
           delegate_to: "{{ controller_host }}"
           environment: "{{ openstack_auth_env }}"
-          when: not node['Console Enabled']
+          when: not node['console_enabled']
       vars:
         matching_nodes: >-
-          {{ (nodes.stdout | from_json) | selectattr('Name', 'defined') |
-          selectattr('Name', 'equalto', inventory_hostname) | list }}
+          {{ (nodes.stdout | from_json) | selectattr('name', 'defined') |
+          selectattr('name', 'equalto', inventory_hostname) | list }}
         node: "{{ matching_nodes | first }}"
       when:
         - cmd == "enable"
@@ -122,14 +122,14 @@
             # be respected when using delegate_to.
             ansible_host: "{{ hostvars[controller_host].ansible_host | default(controller_host) }}"
           command: >
-            {{ venv }}/bin/openstack baremetal node console disable {{ node['Name'] }}
+            {{ venv }}/bin/openstack baremetal node console disable {{ node['name'] }}
           delegate_to: "{{ controller_host }}"
           environment: "{{ openstack_auth_env }}"
-          when: node['Console Enabled']
+          when: node['console_enabled']
       vars:
         matching_nodes: >-
-          {{ (nodes.stdout | from_json) | selectattr('Name', 'defined') |
-          selectattr('Name', 'equalto', inventory_hostname) | list }}
+          {{ (nodes.stdout | from_json) | selectattr('name', 'defined') |
+          selectattr('name', 'equalto', inventory_hostname) | list }}
         node: "{{ matching_nodes | first }}"
       when:
         - cmd == "disable"

@@ -13,6 +13,7 @@
 - import_playbook: "selinux.yml"
 - import_playbook: "network.yml"
 - import_playbook: "firewall.yml"
+- import_playbook: "fail2ban.yml"
 - import_playbook: "tuned.yml"
 - import_playbook: "sysctl.yml"
 - import_playbook: "time.yml"

@@ -0,0 +1,17 @@
+---
+- name: Configure fail2ban
+  hosts: seed:seed-hypervisor:overcloud:infra-vms:ansible-control
+  max_fail_percentage: >-
+    {{ fail2ban_max_fail_percentage |
+       default(host_configure_max_fail_percentage) |
+       default(kayobe_max_fail_percentage) |
+       default(100) }}
+  tags:
+    - fail2ban
+  roles:
+    - role: robertdebock.fail2ban
+      become: true
+      when: fail2ban_enabled | bool
+  vars:
+    # TODO (L-Chams): Remove fail2ban_sender override when PR https://github.com/robertdebock/ansible-role-fail2ban/pull/18 is merged.
+    fail2ban_sender: root@{{ ansible_facts.fqdn }}
@@ -13,6 +13,7 @@
 - import_playbook: "selinux.yml"
 - import_playbook: "network.yml"
 - import_playbook: "firewall.yml"
+- import_playbook: "fail2ban.yml"
 - import_playbook: "tuned.yml"
 - import_playbook: "sysctl.yml"
 - import_playbook: "disable-glean.yml"

@@ -126,6 +126,26 @@ ansible_control_firewalld_default_zone:
 # - state: enabled
 ansible_control_firewalld_rules: []
 
+###############################################################################
+# Ansible control host fail2ban configuration.
+
+# Whether to install and enable fail2ban. Default is false.
+ansible_control_fail2ban_enabled: false
+
+# List of fail2ban jails for the Ansible control host.
+ansible_control_fail2ban_jail_configuration: >-
+  {{ ansible_control_fail2ban_jail_configuration_default +
+     ansible_control_fail2ban_jail_configuration_extra }}
+
+# List of default fail2ban jails for the Ansible control host.
+ansible_control_fail2ban_jail_configuration_default:
+  - option: enabled
+    value: "true"
+    section: sshd
+
+# List of extra fail2ban jails for the Ansible control host.
+ansible_control_fail2ban_jail_configuration_extra: []
+
 ###############################################################################
 # Ansible control host swap configuration.
 

@@ -185,6 +185,26 @@ compute_firewalld_default_zone:
 # - state: enabled
 compute_firewalld_rules: []
 
+###############################################################################
+# Compute node fail2ban configuration.
+
+# Whether to install and enable fail2ban.
+compute_fail2ban_enabled: false
+
+# List of fail2ban jails for the compute node.
+compute_fail2ban_jail_configuration: >-
+  {{ compute_fail2ban_jail_configuration_default +
+     compute_fail2ban_jail_configuration_extra }}
+
+# List of default fail2ban jails for the compute node.
+compute_fail2ban_jail_configuration_default:
+  - option: enabled
+    value: "true"
+    section: sshd
+
+# List of extra fail2ban jails for the compute node.
+compute_fail2ban_jail_configuration_extra: []
+
 ###############################################################################
 # Compute node host libvirt configuration.
 

@@ -224,6 +224,26 @@ controller_firewalld_default_zone:
 # - state: enabled
 controller_firewalld_rules: []
 
+###############################################################################
+# Controller node fail2ban configuration.
+
+# Whether to install and enable fail2ban.
+controller_fail2ban_enabled: false
+
+# List of fail2ban jails for the controller node.
+controller_fail2ban_jail_configuration: >-
+  {{ controller_fail2ban_jail_configuration_default +
+     controller_fail2ban_jail_configuration_extra }}
+
+# List of default fail2ban jails for the controller node.
+controller_fail2ban_jail_configuration_default:
+  - option: enabled
+    value: "true"
+    section: sshd
+
+# List of extra fail2ban jails for the controller node.
+controller_fail2ban_jail_configuration_extra: []
+
 ###############################################################################
 # Controller node swap configuration.
 

@@ -230,6 +230,26 @@ infra_vm_firewalld_default_zone:
 # - state: enabled
 infra_vm_firewalld_rules: []
 
+###############################################################################
+# Infrastructure VM node fail2ban configuration.
+
+# Whether to install and enable fail2ban.
+infra_vm_fail2ban_enabled: false
+
+# List of fail2ban jails for the infrastructure VM node.
+infra_vm_fail2ban_jail_configuration: >-
+  {{ infra_vm_fail2ban_jail_configuration_default +
+     infra_vm_fail2ban_jail_configuration_extra }}
+
+# List of default fail2ban jails for the infrastructure VM node.
+infra_vm_fail2ban_jail_configuration_default:
+  - option: enabled
+    value: "true"
+    section: sshd
+
+# List of extra fail2ban jails for the infrastructure VM node.
+infra_vm_fail2ban_jail_configuration_extra: []
+
 ###############################################################################
 # Infrastructure VM node swap configuration.
 

@@ -124,6 +124,26 @@ monitoring_firewalld_default_zone: "{{ controller_firewalld_default_zone }}"
 # - state: enabled
 monitoring_firewalld_rules: "{{ controller_firewalld_rules }}"
 
+###############################################################################
+# Monitoring node fail2ban configuration.
+
+# Whether to install and enable fail2ban.
+monitoring_fail2ban_enabled: false
+
+# List of fail2ban jails for the monitoring node.
+monitoring_fail2ban_jail_configuration: >-
+  {{ monitoring_fail2ban_jail_configuration_default +
+     monitoring_fail2ban_jail_configuration_extra }}
+
+# List of default fail2ban jails for the monitoring node.
+monitoring_fail2ban_jail_configuration_default:
+  - option: enabled
+    value: "true"
+    section: sshd
+
+# List of extra fail2ban jails for the monitoring node.
+monitoring_fail2ban_jail_configuration_extra: []
+
 ###############################################################################
 # Monitoring node swap configuration.
 

@@ -169,6 +169,26 @@ seed_firewalld_default_zone:
 # - state: enabled
 seed_firewalld_rules: []
 
+###############################################################################
+# Seed node fail2ban configuration.
+
+# Whether to install and enable fail2ban.
+seed_fail2ban_enabled: false
+
+# List of fail2ban jails for the seed node.
+seed_fail2ban_jail_configuration: >-
+  {{ seed_fail2ban_jail_configuration_default +
+     seed_fail2ban_jail_configuration_extra }}
+
+# List of default fail2ban jails for the seed node.
+seed_fail2ban_jail_configuration_default:
+  - option: enabled
+    value: "true"
+    section: sshd
+
+# List of extra fail2ban jails for the seed node.
+seed_fail2ban_jail_configuration_extra: []
+
 ###############################################################################
 # Seed node swap configuration.
 

@@ -162,6 +162,26 @@ seed_hypervisor_firewalld_default_zone:
 # - state: enabled
 seed_hypervisor_firewalld_rules: []
 
+###############################################################################
+# Seed hypervisor node fail2ban configuration.
+
+# Whether to install and enable fail2ban.
+seed_hypervisor_fail2ban_enabled: false
+
+# List of fail2ban jails for the seed hypervisor node.
+seed_hypervisor_fail2ban_jail_configuration: >-
+  {{ seed_hypervisor_fail2ban_jail_configuration_default +
+     seed_hypervisor_fail2ban_jail_configuration_extra }}
+
+# List of default fail2ban jails for the seed hypervisor node.
+seed_hypervisor_fail2ban_jail_configuration_default:
+  - option: enabled
+    value: "true"
+    section: sshd
+
+# List of extra fail2ban jails for the seed hypervisor node.
+seed_hypervisor_fail2ban_jail_configuration_extra: []
+
 ###############################################################################
 # Seed hypervisor node swap configuration.
 

@@ -173,6 +173,26 @@ storage_firewalld_default_zone:
 # - state: enabled
 storage_firewalld_rules: []
 
+###############################################################################
+# Storage node fail2ban configuration.
+
+# Whether to install and enable fail2ban.
+storage_fail2ban_enabled: false
+
+# List of fail2ban jails for the storage node.
+storage_fail2ban_jail_configuration: >-
+  {{ storage_fail2ban_jail_configuration_default +
+    storage_fail2ban_jail_configuration_extra }}
+
+# List of default fail2ban jails for the storage node.
+storage_fail2ban_jail_configuration_default:
+  - option: enabled
+    value: "true"
+    section: sshd
+
+# List of extra fail2ban jails for the storage node.
+storage_fail2ban_jail_configuration_extra: []
+
 ###############################################################################
 # Storage node swap configuration.
 

@@ -0,0 +1,6 @@
+---
+# Whether to install and enable fail2ban
+fail2ban_enabled: "{{ ansible_control_fail2ban_enabled }}"
+
+# List of fail2ban jails for the Ansible control host.
+fail2ban_jail_configuration: "{{ ansible_control_fail2ban_jail_configuration }}"
@@ -0,0 +1,6 @@
+---
+# Whether to install and enable fail2ban
+fail2ban_enabled: "{{ compute_fail2ban_enabled }}"
+
+# List of fail2ban jails for the compute node.
+fail2ban_jail_configuration: "{{ compute_fail2ban_jail_configuration }}"
@@ -0,0 +1,6 @@
+---
+# Whether to install and enable fail2ban
+fail2ban_enabled: "{{ controller_fail2ban_enabled }}"
+
+# List of fail2ban jails for the controller node.
+fail2ban_jail_configuration: "{{ controller_fail2ban_jail_configuration }}"
@@ -0,0 +1,6 @@
+---
+# Whether to install and enable fail2ban
+fail2ban_enabled: "{{ infra_vm_fail2ban_enabled }}"
+
+# List of fail2ban jails for the infrastructure VM node.
+fail2ban_jail_configuration: "{{ infra_vm_fail2ban_jail_configuration }}"
@@ -0,0 +1,6 @@
+---
+# Whether to install and enable fail2ban
+fail2ban_enabled: "{{ monitoring_fail2ban_enabled }}"
+
+# List of fail2ban jails for the monitoring node.
+fail2ban_jail_configuration: "{{ monitoring_fail2ban_jail_configuration }}"
@@ -0,0 +1,6 @@
+---
+# Whether to install and enable fail2ban
+fail2ban_enabled: "{{ seed_hypervisor_fail2ban_enabled }}"
+
+# List of fail2ban jails for the seed hypervisor node.
+fail2ban_jail_configuration: "{{ seed_hypervisor_fail2ban_jail_configuration }}"
@@ -0,0 +1,6 @@
+---
+# Whether to install and enable fail2ban
+fail2ban_enabled: "{{ seed_fail2ban_enabled }}"
+
+# List of fail2ban jails for the seed node.
+fail2ban_jail_configuration: "{{ seed_fail2ban_jail_configuration }}"
@@ -0,0 +1,6 @@
+---
+# Whether to install and enable fail2ban
+fail2ban_enabled: "{{ storage_fail2ban_enabled }}"
+
+# List of fail2ban jails for the storage node.
+fail2ban_jail_configuration: "{{ storage_fail2ban_jail_configuration }}"
@@ -26,7 +26,9 @@
         filter: "{{ kayobe_ansible_setup_filter }}"
         gather_subset: "{{ kayobe_ansible_setup_gather_subset }}"
       when:
-        - ansible_facts is undefined or ansible_facts is falsy
+        #TODO(mattcrees): Enable this check once this bug is fixed:
+        # https://bugs.launchpad.net/kayobe/+bug/2144548
+        # - ansible_facts is undefined or ansible_facts is falsy
         - kayobe_virtualenv is defined
       register: gather_facts_result
       # Before any facts are gathered, ansible doesn't know about