For Rocky Linux 9, Kayobe will now disable STP on a bridge by default,
to preserve compatibility with network scripts, as Network Manager
enables STP on all bridges by default.
Enabling STP can lead to port down event if BPDU guard is enabled
on the switch.

Closes-Bug: #2028775

Change-Id: I35eaa92f4243af00697306aa801e5a733885ce4f

The 'kayobe * host configure' commands no longer use the 'kolla-ansible
bootstrap-servers' command, and associated 'baremetal' role in Kolla
Ansible. The functionality provided by the 'baremetal' role has been
extracted into the openstack.kolla Ansible collection, and split
into separate roles. This allows Kayobe to use it directly, and only the
necessary parts.

This change improves failure handling in these Kayobe commands, and aims
to reduce confusion over which '--limit' and '--tags' arguments to
provide.  This ensures that if a host fails during a host configuration
command, other hosts are able to continue to completion. Previously, if
any host failed during the Kayobe playbooks, the 'kolla-ansible
bootstrap-servers' command would not run. This is useful at scale, where
host failures occur more frequently.

This change has implications for configuration of Kayobe, since some
variables that were previously in Kolla Ansible are now in Kayobe.

Several parts of the baremetal role have been split out and used here:

* apparmor-libvirt: disable AppArmor rules for libvirt on Ubuntu.
* docker: Docker installation & configuration. The docker role in
  openstack.kolla combines functionality from kolla-ansible and kayobe.
* etc-hosts: it proved difficult to generalise this, so we have some
  almost duplicated the code from kolla-ansible here. Requires delegated
  fact gathering for the case when --limit is used.
* firewall: support to disable UFW, for feature parity.
* kolla-packages: miscellaneous package installs & removals.

The addition of the stack user to the docker group has been moved to the
user bootstrapping playbook, and the docker SDK installation has been
moved to the virtualenv setup playbook.

Depends-On: https://review.opendev.org/c/openstack/ansible-collection-kolla/+/829587

Story: 2009854
Task: 44505

Change-Id: I61a61ca59652b13687c2247d5881012b51f666a7

CentOS Stream 8 support has been dropped. Migration path will be present
in Yoga release - as a followup change.

MichaelRigart.interfaces does not support custom routes for
NetworkManager yet. It has been disabled in CI for Rocky Linux 9
temporarily.

Non-voting CentOS Stream 9 CI overcloud job is using RL9 container
images (as kolla CI is not building CS9 images anymore).

Change-Id: Idf5ee822b03ba40179803c981500a6bad37594bf

Supports creating and using swap files, or using pre-existing swap
devices.

Story: 2004958
Task: 29390

Change-Id: Iadb540f42036a4a63cdd5b695b82f1504b3a4a28

Change-Id: I7c863d1875908d2b885918ec7caed747ae6e345b

This allows operators to configure arbitrarily named VLAN interfaces
using systemd-networkd.

Story: 2010266
Task: 46178

Change-Id: I666d7011bde0050ebc509b427c1d4f5a66b6231a

Co-Authored-By: Bartosz Bezak <bartosz@stackhpc.com>

Change-Id: I06a3e9922cf95979f3bca120cd82633046270fa3

Enables the installation and configuration of firewalld on Ubuntu
systems.

Change-Id: I4a97a2aeed277be672e15e5c7727b810e11d3c42
Story: 2010160
Task: 45818

Adds support for SASL authentication of libvirt TCP and TLS connections
when using a compute host libvirt daemon.

In line with the dependent Kolla Ansible patch, we enable SASL by
default, and use DIGEST-MD5 with TCP and SCRAM-SHA-256 with TLS.

Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/833022
Depends-On: https://github.com/stackhpc/ansible-role-libvirt-host/pull/52

Story: 2009858
Task: 44735

Change-Id: Id3972c24022aeb6421494c3cccdc8e7cbce802e6

This change adds support for configuration of Apt package manager in
/etc/apt/apt.conf.d/. This allows adding arbitrary global configuration
options for Apt. Options can be added in different files, allowing for
different filename-based priorities.

CI tests and documentation are provided.

Story: 2009655
Task: 43987

Change-Id: I9d7d18851359e97cd01b4c2287bf79110796b25a

This change adds support for configuring Apt repositories on Ubuntu
hosts during host configuration.

Repositories are configured in a single file
(/etc/apt/sources.list.d/kayobe.sources), using the modern deb822
format [1]. This format is more flexible and readable than the original
single-line format, particularly if multiple options are used.

Using a single file allows us to more easily keep the set of
repositories in sync, since Ansible doesn't make it easy to clean things
up.

Support is added for marking repositories as signed by a particular GPG
key. This approach is now preferred over the deprecated [2] apt-key
tool, which resulted in a set of globally trusted keys.

It is also possible to disable the repositories in
/etc/apt/sources.list via apt_disable_sources_list. This allows for
replacing the standard repositories with a local mirror.

CI tests and documentation are provided.

[1] https://manpages.ubuntu.com/manpages/focal/en/man5/sources.list.5.html
[2] https://manpages.ubuntu.com/manpages/groovy/man8/apt-key.8.html

Story: 2009655
Task: 43818

Change-Id: I3f821937b0930a0ac9341178de7ae5123d82b957

Change-Id: If7d6e58b19f98ccb7cc4c209e458cb6f4f4765ad

Sometimes some hosts should be configured with an interface without any
IP address set (e.g. bridged interface) and to achieve that this change
adds the new attribute 'no_ip' for the network configuration. Also the
change contain a test for this.

Change-Id: I2c9dfeca7f0d37a96f9cbd9df51d94098cf07258
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>

Change-Id: I615707976454a91c8f6aecc5eda1852def7197d4

EPEL is no longer required for a default installation. Let's disable it.

Also clean up the install_epel variable from Kolla Ansible globals.yml
template, since it never existed.

Story: 2009757
Task: 44227

Change-Id: I96eb4685f997e85ad2ee5318640d58d0287a016d

Change-Id: Ic8c212111301d6b144e3aa0fe124b022b0296ec6

Follow up adding tests for Id60e25e129e323f3c07e702bb81a11efc530fb3e.

Change-Id: Ieb6d6e4d491b4ceb44d5fe364f0da215ac303fe1

Currently, the overcloud host configure test results are only returned
on success, when they are least useful. This is because the zuul_return
task is not reached when the test task fails. This change reorders the
tasks to fix the issue.

Change-Id: Ie572eda567782cc377767bd8d925145e2ad4bd61

This is only supported on CentOS for now due to limitations of the
Ansible role used to configure tuned.

Change-Id: Ie07c5f467975f8da2f720e70c94cea6285981d72
Co-Authored-By: Pierre Riteau <pierre@stackhpc.com>
Story: 2007853
Task: 40155

Future proof against silent loss of tests on CentOS Stream 9

Change-Id: I01b10d25ee0482c4f5b9bfb304e15e55cb158cc6

These were inadvertently skipped following the move to CentOS Stream,
due to matching the distro name on CentOS Linux.

Backport to Victoria.

Change-Id: I478d6304c3f8d207bc7062a0909147a169003027

CentOS repositories were renamed following the separation of CentOS
Linux and Stream. This change updates their names when using a local
mirror. It also removes the old files.

Change-Id: Ifcc3781d771e150b5771f2bf20cd8bcbc5faa443
Story: 2008795
Task: 42435

Some hosts in the kayobe inventory might not be in the kolla-ansible
inventory so it makes sense for kayobe to manage NTP.

Change-Id: Iacb579a46b0e9769a4c404a858d17968f74dd7e0
Depends-On: https://review.opendev.org/c/openstack/kayobe-config-dev/+/786040
Story: 2007872
Task: 40240

This change adds support for policy-based routing via systemd-networkd.
Due to differences in the configuration mechanism, routing policy
rules are configured via dicts for Ubuntu, while remaining as strings
on CentOS. Ideally we would support both formats.

Story: 2004960
Task: 42217

Change-Id: I77aec0160eb7e4dd763326bfe6e3d9a44b248108

This change adds support for network configuration via systemd-networkd
on Ubuntu systems.

This is implemented via an Ansible Galaxy role,
stackhpc.systemd_networkd which was forked from
aruhier.systemd_networkd. Several improvements were made in
https://github.com/stackhpc/ansible-role-systemd-networkd/pull/1,
including:

* Add support for removing unexpected config files
* Use become where necessary
* Refactor config generation into a single task to improve performance

The systemd_networkd role does not add much abstraction on top of the
systemd-networkd configuration file format, which provides a lot of
flexibility at the expense of additional code in Kayobe. This code is
implemented as filter plugins, similarly to the existing
MichaelRigart.interfaces role.

This patch includes support for:

* Ethernet interfaces
* bridges
* bonds
* VLANs
* virtual Ethernet pairs (to connect Linux bridges and OVS bridges)
* static IP addresses
* static routes
* MTU

Some network attributes are currently not supported for
systemd-networkd:

* rules
* route options
* ethtool_opts
* zone
* allowed addresses

Story: 2004960
Task: 41881

Change-Id: I248b5bb9ce5a80a07a2a311cb3aca6daca920720

Change-Id: Iff105f9a491dc6277586c1d53b84747c38feb585

Issues:

* bond configuration not working on Ubuntu - disabled in CI test

Story: 2004960
Task: 41560

Change-Id: Ib124dc6f313a2a13fa509b10702c6141f102f2f9

The flag dnf_install_epel was being used to predicate installation
of the EPEL RPM repo package, but not preventing the installation
of configuration for access to EPEL.  This small patch completes
the job.

Updates the overcloud host configure CI job to install EPEL mirrors,
since it was previously relying on this buggy behaviour.

Change-Id: Ib417837d0772338b16ea9f7f2540549f277d5de8

Change-Id: Icb57b908be9c83700274c042185e4481d5ca6ea5

This gives us some test coverage with Ansible Vault.

Change-Id: Ic9db7f84e9f0dcbe69c31b6fff6bda3dfb401a33
Story: 2004959
Task: 39813

* Always use Python 3
* Drop code paths for CentOS 7
* Drop support for Yum
* Remove support for host NTP daemon, always use chrony
* Switch references from 'yum_install_epel' to 'dnf_install_epel'
* Remove overcloud host image workaround for tagged VLAN admin network
* Remove the kayobe.utils.yum_install function, which is unused

Change-Id: I368f6edafed9779658798fc342116b4c1b3ffd48
Story: 2006574
Task: 39481

This can be advantageous in deployments with a data security
requirement.

Change-Id: I555ee575ccec0cfbcc4c4bcb53677796c83227e3
Story: 2007555
Task: 39410

Tests various non-default configuration:

* Custom users
* Network interfaces, VLANs, bridges, bonds
* Software RAID
* LVM & docker devicemapper
* timezone
* Package mirrors
* yum-cron / DNF automatic

This improved test coverage allows us to be more confident about these
features working on CentOS 8.

Change-Id: I36148e4356deb7d5ec00d8d3ebeb2d3932ff4f94
Story: 2006574
Task: 38938