Enables the installation and configuration of firewalld on Ubuntu
systems.

Change-Id: I4a97a2aeed277be672e15e5c7727b810e11d3c42
Story: 2010160
Task: 45818

Change-Id: Iec0b9cd24eda4fc0fc38003dea66c50ece7425b6

The disable-selinux role has been renamed to selinux and now supports
setting desired state.

Previously Kayobe was defaulting to disabling and rebooted the host - to
avoid audit logs filling up. This change allows operators to define
desired SELinux state and defaults to permissive - to adhere to those
site policies that require SELinux to be at least in permissive state.

Change-Id: I42933b0b7d55c69c9f6992e331fafb2e6c42d4d1

IPA itself is still compatible with Python 3.6, but ipa-builder uses
master upper-constraints which have dropped support for 3.6 and are
pulling importlib-metadata===4.11.4, which requires 3.7.

    ERROR: Cannot install ironic-python-agent==8.6.1.dev13 because these package versions have conflicting dependencies.

    The conflict is caused by:
        ironic-python-agent 8.6.1.dev13 depends on importlib_metadata>=1.7.0
        The user requested (constraint) importlib-metadata===4.11.4

Change-Id: I0cc48d0d5ed17400badb081e9117c9351677bb38

Change-Id: I2823016294e7df63f63be9ab26535b3962a71ebe

Story: 2010069
Task: 45540
Change-Id: I0658c0059867468d6032cb1bfa3d05ae0d01c422

The 'overcloud container image build' command didn't build all the
hacluster images when hacluster is enabled.

TrivialFix

Change-Id: I9150e32579421e46782518948188e1363918fb39
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>

Requirements upper constraints bumped python-novaclient to version
18.0.0 [1], which requires Python 3.8 [2]. This results in failures when
installing python-openstackclient on CentOS and Rocky with Python 3.6.

    ERROR: Cannot install python-openstackclient==5.8.0 because these package versions have conflicting dependencies.

    The conflict is caused by:
        python-openstackclient 5.8.0 depends on python-novaclient>=17.0.0
        The user requested (constraint) python-novaclient===18.0.0

Work around this issue by using yoga upper constraints until we upgrade
to CentOS Stream 9 and Rocky Linux 9.

This also fixes another issue seen on Ubuntu where image uploads to
Glance through Ansible fail with a 400 Bad Request error. This is caused
by the bump of openstacksdk to version 0.99.0 and will be fixed by a new
release of ansible-collections-openstack.

[1] https://review.opendev.org/c/openstack/requirements/+/842808
[2] https://review.opendev.org/c/openstack/python-novaclient/+/838944

Change-Id: I40c6b898963c2218d41d37bd73d40ce8dcf22b87

Previously we were not applying an MTU defined in Kayobe networks.yml to
the provisioning and cleaning networks in Neutron. This could lead to
issues when nodes communicate with the Ironic and Inspector APIs.

Change-Id: Id9418e4e88c52056412daa22462aa611bfcc59ae

This is old and deprecated configuration settings for Swift not needed
anymore because kolla-ansible correctly configure glance-api.conf and
glance-swift.conf since Idddbf2ce741e0486d60e1de88c77a7f0332a5a2b when
kolla_enable_swift variable set to true. This change can be backported
through all releases till the Train.

Change-Id: I5273edc8265f115519f499e85fe12f8d22306c4b
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>

The no_proxy list should only contain domains, hostnames, IP addresses
and networks, but docker_registry is often in the form ip_address:port.

Use urlsplit to extract the hostname from the docker_registry variable
after prepending http:// to turn it into a valid URL.

Also add missing infra-vms to hosts in proxy.yml.

Change-Id: I6424fc405894514a63fb2b641637bbb9d5c070c0

Synchronize with new kolla-ansible parameters introduced in the
Ib69fc0017b3bfbc8da4dfd4301710fbf88be661a for Ironic Inspector.

Depends-On: Ib69fc0017b3bfbc8da4dfd4301710fbf88be661a
Change-Id: I6d9e3acc477c9c4b3bb9db9c01a2db83b9568f59
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>

This reverts commit 88dd02dc.

Reason for revert: Master is now Zed

Change-Id: I9a18c41dbdc369a7a719632d6e41e2373784f29e

Enable the Ironic ipxe boot interface by default, following a similar
change in Ironic [1].

Drop the kolla_enable_ironic_ipxe flag, following a similar change in
Kolla Ansible [2]. Both PXE and iPXE are now enabled by default. Users
may revert to using PXE for ironic inspector's dnsmasq, by setting
ironic_dnsmasq_serve_ipxe to false in etc/kayobe/kolla/globals.yml.

[1] https://review.opendev.org/c/openstack/ironic/+/816824
[2] https://review.opendev.org/c/openstack/kolla-ansible/+/834512/

Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/832159
Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/834511
Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/837069

Change-Id: Ifb80bd15a20c9cfb8fbc6e0f6ac23baae631a18e

The kolla_passwords module overrides parameter may contain sensitive
data, including passwords and SSH keys. It should be protected via
no_log. Without this, the parameter value may be exposed in Ansible
logs, or if level 3 verbosity is used, Ansible output.

This change adds no_log to the parameter.

Change-Id: I3f499d63d19ba7f7372b401bd2da23ce627f18e5

Upper constraints should be defined using
os_networks_upper_constraints_file rather than
os_openstacksdk_upper_constraints_file because of [1].

1. https://github.com/stackhpc/ansible-role-os-networks/blob/v1.5.3/meta/main.yml#L22



TrivialFix

Change-Id: Ic779bb80f20fd72c73f0df05e048c851fe8491ee
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>

There is no mechanism to check which agent would be used and build
all the possible agents, but forgot the linuxbridge one.

Change-Id: I955a2c12b5143a63422cab50c74191bc22c63932
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>

Switch all dependencies to use the OpenStack Yoga release.

This commit should be reverted on the master branch once the
Kayobe stable/yoga branch has been cut and RC1 released.

Change-Id: Ib7495c1bf79de8b1ea67e4a8652345c22e9d1a3e

When a kolla-ansible group is composed of a kayobe group with the same
name and of at least one other kayobe group, kayobe would generate an
invalid Ansible inventory such as:

[compute:children]
controllers
compute

Because the top-level group should already be defined, we only need to
add as children the kayobe groups using different names.

Change-Id: I88bdf1e3d0c08271ac8938ae2f9ac3f9fee1efa5
Story: 2009927
Task: 44798

Syncs with Kolla Ansible inventory for Yoga release, at commit
1a20c2348830eb189026b7d1d799ed0fa435aeeb.

Change-Id: I119c200c0c61e7996ba9996d480d07cb0a273b60

Change-Id: I174623bbcfeb35c59cd4c155f36078800d4c35cd

This adds a variable that allows you to modify the version of ansible
installed in the kolla-ansible virtualenv. This is useful if you want
to use a customised version of ansible.

Change-Id: I319dd51ed3221826f820fbc0ae3639b89e9c82ea

Adds support for SASL authentication of libvirt TCP and TLS connections
when using a compute host libvirt daemon.

In line with the dependent Kolla Ansible patch, we enable SASL by
default, and use DIGEST-MD5 with TCP and SCRAM-SHA-256 with TLS.

Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/833022
Depends-On: https://github.com/stackhpc/ansible-role-libvirt-host/pull/52

Story: 2009858
Task: 44735

Change-Id: Id3972c24022aeb6421494c3cccdc8e7cbce802e6

In some cases it may be desirable to run libvirt daemon on the host. For
example, when mixing host and container OS distributions.

This change makes it possible to disable the nova_libvirt container, by
setting kolla_enable_nova_libvirt_container to false.

The stackhpc.libvirt-host role is used in order to install and configure
a libvirt daemon on compute hosts when
kolla_enable_nova_libvirt_container is false.

Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/825357
Depends-On: https://review.opendev.org/c/openstack/kayobe-config-dev/+/829225
Depends-On: https://github.com/stackhpc/ansible-role-libvirt-host/pull/51

Story: 2009858
Task: 44495

Change-Id: I73fef63fb886a9d543d2f4231fb009523495edb3

This change adds support for configuration of Apt package manager in
/etc/apt/apt.conf.d/. This allows adding arbitrary global configuration
options for Apt. Options can be added in different files, allowing for
different filename-based priorities.

CI tests and documentation are provided.

Story: 2009655
Task: 43987

Change-Id: I9d7d18851359e97cd01b4c2287bf79110796b25a

This change adds support for configuring Apt repositories on Ubuntu
hosts during host configuration.

Repositories are configured in a single file
(/etc/apt/sources.list.d/kayobe.sources), using the modern deb822
format [1]. This format is more flexible and readable than the original
single-line format, particularly if multiple options are used.

Using a single file allows us to more easily keep the set of
repositories in sync, since Ansible doesn't make it easy to clean things
up.

Support is added for marking repositories as signed by a particular GPG
key. This approach is now preferred over the deprecated [2] apt-key
tool, which resulted in a set of globally trusted keys.

It is also possible to disable the repositories in
/etc/apt/sources.list via apt_disable_sources_list. This allows for
replacing the standard repositories with a local mirror.

CI tests and documentation are provided.

[1] https://manpages.ubuntu.com/manpages/focal/en/man5/sources.list.5.html
[2] https://manpages.ubuntu.com/manpages/groovy/man8/apt-key.8.html

Story: 2009655
Task: 43818

Change-Id: I3f821937b0930a0ac9341178de7ae5123d82b957

Currently, the 'kayobe * host package update' commands do not work on
Ubuntu, since the main task is skipped.

This change adds support for running the commands against Ubuntu hosts,
passing parameters to the package module based on the OS distribution.

Change-Id: I879df0ea3f357c2bb45a5e7331a3f2569eac63e9
Story: 2009685
Task: 43988

Since I4fb42d376636dc363cd86950ed37de4a3d28df73, kolla-ansible sets
kernel_append_params in ironic.conf, instead of the deprecated
pxe_append_params. Make the same change in the Kayobe ironic.conf
template, to avoid getting shadowed by the kolla-ansible default.

This also fixes the overcloud TLS job, which started failing because it
lost the ipa-insecure kernel option, making the Ironic API callback
invalid.

Change-Id: Id7e4bd7f199ad9dcb21d5db082e7a187cb310df9

Change-Id: If7d6e58b19f98ccb7cc4c209e458cb6f4f4765ad

When some custom config files are used, generation of local
configuration for Kolla Ansible is not idempotent. This happens because
an executable permission is applied recursively in a directory, then
reverted on regular files.

Change-Id: I8cc9531570b76a8282a95c4036324e9d1025d7cb

Sometimes some hosts should be configured with an interface without any
IP address set (e.g. bridged interface) and to achieve that this change
adds the new attribute 'no_ip' for the network configuration. Also the
change contain a test for this.

Change-Id: I2c9dfeca7f0d37a96f9cbd9df51d94098cf07258
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>

This is continue of the changes to support Ironic/Bifrost provision
through DHCP-relay same as I9488a72db588e31289907668f1997596a8ccdec6

Depends-On: I74af38dc555b7edee8331e31dfd1a2fbfe4f1151
Change-Id: Ie1d5ecf32c637b77757e56fbe2fae1ff7c0bf000
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>

These are only neccesary on network and compute nodes.

Co-authored-by: Mark Goddard <mark@stackhpc.com>

Change-Id: Id5af3969da63150e892201f7518f50a3da73e852
Story: 2009911
Task: 44740

Depends-on: https://review.opendev.org/c/openstack/bifrost/+/819785
Change-Id: I37b9d18f0523c121357c5a37ec6fc458209f8e79

Change-Id: Iaec4c530c353f7b97209a205473601abb0a408f4

This was removed from Kolla during the Yoga release cycle.

Change-Id: I0d2fba4e23ba49dec5adc9a822af2afe09111b58

The chrony container removal was performed in the Xena cycle, so we no
longer require this task in the 'overcloud host configure' command.

Change-Id: I86fcc75e844eb922f62c90c45a105519845cc1a7

This change uses the new Galaxy requirements file in Kolla Ansible to
install the openstack.kolla collection.

Cross-project dependencies on ansible-collection-kolla are supported.

Story: 2009854
Task: 44504

Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/819430
Change-Id: Iac185dd2bbbca128c6cf71b2734e94b3e1c6133b

Ansible failure handling is different when executing multiple top-level
playbooks (CLI arguments) vs. multiple plays within a top-level
playbook. If any hosts have failed or are unreachable at the end of a
top-level playbook, then ansible-playbook exits non-zero.

In contrast, execution will continue at the end of a mid-playbook play
if there are hosts that have not failed or become unreachable. This is
documented in [1].

Currently, Kayobe executes multiple top-level playbooks, most notably in
the host configure commands where there is a long list of them. This has
implications when working at scale, where failures are more common. If a
host fails at any point, then execution of the command will stop at the
end of the current playbook. This means that the command must be run
again for all hosts. Additionally, if any hosts are unreachable, then
the command is unable to progress at all without removing them from the
inventory.

This change refactors the host configure and host upgrade commands to
use a single top-level playbook.

[1] https://github.com/markgoddard/ansible-experiments/tree/master/14-error-handling

Story: 2009854
Task: 44482

Change-Id: Ia63d66097b10b6ddda30ad693636143f8b1a85e0

Story: 2007872
Task: 44139

Change-Id: I1a161a4f241cccac3f39ab7a3e11bccac02f9a07
Co-Authored-By: Pierre Riteau <pierre@stackhpc.com>