Enables the installation and configuration of firewalld on Ubuntu
systems.

Change-Id: I4a97a2aeed277be672e15e5c7727b810e11d3c42
Story: 2010160
Task: 45818

Change-Id: Ib182558e31da9d79a14f383c6a1d60fa66f1dc75

The disable-selinux role has been renamed to selinux and now supports
setting desired state.

Previously Kayobe was defaulting to disabling and rebooted the host - to
avoid audit logs filling up. This change allows operators to define
desired SELinux state and defaults to permissive - to adhere to those
site policies that require SELinux to be at least in permissive state.

Change-Id: I42933b0b7d55c69c9f6992e331fafb2e6c42d4d1

The support was added in this commit, but the docs were not updated:
c6263dbf

Change-Id: Icfc5cbc80af1199ad00f78292c6228273af701aa

Change-Id: I2823016294e7df63f63be9ab26535b3962a71ebe

Using cp will leave removed files in kayobe-config.

Change-Id: Id8febf9f29e3cd230b9e516ab59e0fe9935cf375

Change-Id: Id94c09349ac5b90087502772a751015f9dfde0e9

The disks field in lvm_groups should be a list, and the percentage needs
to be relative to something.

Change-Id: I422c7113cdba8f5c155ff1f7d3d118066bd28e96

Adds support for SASL authentication of libvirt TCP and TLS connections
when using a compute host libvirt daemon.

In line with the dependent Kolla Ansible patch, we enable SASL by
default, and use DIGEST-MD5 with TCP and SCRAM-SHA-256 with TLS.

Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/833022
Depends-On: https://github.com/stackhpc/ansible-role-libvirt-host/pull/52

Story: 2009858
Task: 44735

Change-Id: Id3972c24022aeb6421494c3cccdc8e7cbce802e6

In some cases it may be desirable to run libvirt daemon on the host. For
example, when mixing host and container OS distributions.

This change makes it possible to disable the nova_libvirt container, by
setting kolla_enable_nova_libvirt_container to false.

The stackhpc.libvirt-host role is used in order to install and configure
a libvirt daemon on compute hosts when
kolla_enable_nova_libvirt_container is false.

Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/825357
Depends-On: https://review.opendev.org/c/openstack/kayobe-config-dev/+/829225
Depends-On: https://github.com/stackhpc/ansible-role-libvirt-host/pull/51

Story: 2009858
Task: 44495

Change-Id: I73fef63fb886a9d543d2f4231fb009523495edb3

This change adds support for configuration of Apt package manager in
/etc/apt/apt.conf.d/. This allows adding arbitrary global configuration
options for Apt. Options can be added in different files, allowing for
different filename-based priorities.

CI tests and documentation are provided.

Story: 2009655
Task: 43987

Change-Id: I9d7d18851359e97cd01b4c2287bf79110796b25a

This change adds support for configuring Apt repositories on Ubuntu
hosts during host configuration.

Repositories are configured in a single file
(/etc/apt/sources.list.d/kayobe.sources), using the modern deb822
format [1]. This format is more flexible and readable than the original
single-line format, particularly if multiple options are used.

Using a single file allows us to more easily keep the set of
repositories in sync, since Ansible doesn't make it easy to clean things
up.

Support is added for marking repositories as signed by a particular GPG
key. This approach is now preferred over the deprecated [2] apt-key
tool, which resulted in a set of globally trusted keys.

It is also possible to disable the repositories in
/etc/apt/sources.list via apt_disable_sources_list. This allows for
replacing the standard repositories with a local mirror.

CI tests and documentation are provided.

[1] https://manpages.ubuntu.com/manpages/focal/en/man5/sources.list.5.html
[2] https://manpages.ubuntu.com/manpages/groovy/man8/apt-key.8.html

Story: 2009655
Task: 43818

Change-Id: I3f821937b0930a0ac9341178de7ae5123d82b957

Change-Id: If7d6e58b19f98ccb7cc4c209e458cb6f4f4765ad

Sometimes some hosts should be configured with an interface without any
IP address set (e.g. bridged interface) and to achieve that this change
adds the new attribute 'no_ip' for the network configuration. Also the
change contain a test for this.

Change-Id: I2c9dfeca7f0d37a96f9cbd9df51d94098cf07258
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>

Change-Id: I863e18841924e88c8943c1df0c6753fd90c90ef3
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>

Change-Id: Idd53d689e0e9baad571b2f0f4005f3efa3e21830

Currently we use the HEAD reference for OpenStack requirements. This can
create images that are incompatible with your version of OpenStack.

See:
https://review.opendev.org/c/openstack/ironic-python-agent-builder/+/688911

Change-Id: I42026fafb1be0071f5ec94e81881c4a3bdd34af8
Story: 2009810
Task: 44371

Change-Id: If002d845347b2e215d36df3ff73b743745e46131

Change-Id: I0747cc8fa6fdbfa980b1263da3b3edddb725d2db

A double colon (where only a single colon is wanted) was fouling up
parsing.

Change-Id: Ifaf28e85189bf438e373f165a9b3c2af1b47e834

Change-Id: Ia8c927c330b9428a3824a6925f6274cbc54314a0
Story: 2002098
Task: 44165

Change-Id: I366fbe98d27fa70b1aeb398c129f626fe042b5df
Story: 2002098
Task: 19776

EPEL is no longer required for a default installation. Let's disable it.

Also clean up the install_epel variable from Kolla Ansible globals.yml
template, since it never existed.

Story: 2009757
Task: 44227

Change-Id: I96eb4685f997e85ad2ee5318640d58d0287a016d

Change-Id: Icb02cffe04d84c6d29f3f0c3b4af540a4ffe631d
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>

Adds an ability to enable SNAT service on the seed hypervisor.

Depends-On: Ie42ab7a0dc9dd1ed1925b3a17134b3770ae8ba98
Change-Id: I0a2ff5caa01d54b1532d30d501b55ef23a6deff8
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>

Change-Id: Ie42ab7a0dc9dd1ed1925b3a17134b3770ae8ba98

When customising kolla_bifrost_inspector_extra_kernel_options, for
example to define which console to use, operators should note that
Kayobe defines extra kernel parameters that are important for
inspection, such as ipa-collect-lldp=1.

Change-Id: Id789dede2d1886ef5ec66ebc86968d6cf62fa2de

Change-Id: Id88d4cf226359c9f313d04276000f4c60ecdf373

Adds a '--diff' argument to kayobe CLI commands. This is passed through
to ansible-playbook for Kayobe Ansible playbooks, and can be used with
the '--check' argument to see changes that would be made to files.

This change also passes through --check and --diff arguments to
kolla-ansible.

Story: 2009038
Task: 42794

Change-Id: I350795c328c0dc0a91a5cd500c252c5b7b1eafc1

This change is a missing part for the new Kayobe functionality
introduced in Ie16354cd01ea7dd83cd3d4058dd8451b8387600b.

Change-Id: Ia3d665d53ccdb9e3b1d40949e96b720fab6df348
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>

If ICMP is filtered, it can be useful to change the IP and hostname used
by the network connectivity check feature.

Change-Id: I7432287dcb43992688600415fbb360709a532565

Kolla Ansible has recently updated the default Docker configuration to
stop using an insecure registry [1]. To avoid breaking existing Kayobe
deployments, automatically set docker_registry_insecure to true if we
deploy a registry without TLS.

[1] https://review.opendev.org/c/openstack/kolla-ansible/+/805449

Change-Id: Ifec7102812b5503cb02f207098192e99e7193d49

Supports merging configuration for the following files:

* kolla/globals.yml
* kolla/config/bifrost/bifrost.yml
* kolla/config/bifrost/dib.yml
* kolla/config/bifrost/servers.yml
* kolla/kolla-build.conf

Configuration is merged from the following sources:

* Kayobe source code
* Base Kayobe config
* Kayobe environment

Co-Authored-By: Will Szumski <will@stackhpc.com>
Change-Id: I552bd8f7853b2032954b372bf4476676dac3e271
Story: 2002009
Task: 42974

* Improve docs
* Fix up some comments

Change-Id: Iee05721bbe084f5580805cd82b12d065a2c61a1e

This is only supported on CentOS for now due to limitations of the
Ansible role used to configure tuned.

Change-Id: Ie07c5f467975f8da2f720e70c94cea6285981d72
Co-Authored-By: Pierre Riteau <pierre@stackhpc.com>
Story: 2007853
Task: 40155

Change-Id: Ic49de8d27da6604429e09fb0122eb64239cf58a8

Follow up to Id60e25e129e323f3c07e702bb81a11efc530fb3e, adds support for
firewalld configuration on Infra VMs.

Change-Id: Idd1ab982d4bca1cbdb0c4c6041cf3b6c17eae6cb

CentOS cloud images come with net.ifnames=0 on the kernel command line,
which disables consistent network device naming. This does not provide a
good experience on bare metal because NIC ordering can vary. This is
specific to cloud images: an ISO installation would use consistent
network device naming.

We now set net.ifnames=1 in the DIB default environment to use
consistent network device naming. The parameters `nofb nomodeset
gfxpayload=text` are also set to preserve defaults from DIB.

To restore the existing behaviour, set DIB_BOOTLOADER_DEFAULT_CMDLINE to
`nofb nomodeset gfxpayload=text net.ifnames=0` in the
kolla_bifrost_dib_env_vars_extra dictionary.

Change-Id: I20465eab4e0aec6620578a92d3bdbddcec0954df

This change allows you to define additional VMs to deploy
on the seed-hypervisor.

Co-authored-by: Piotr Parczewski <piotr@stackhpc.com>
Co-authored-by: Will Szumski <will@stackhpc.com>
Co-authored-by: Mark Goddard <mark@stackhpc.com>
Story: 2008741
Task: 42095
Change-Id: I8055fc5eb0a9edadcb35767303c659922f2d07ca

Adds support for configuring firewalld for CentOS hosts managed by
Kayobe.

* create zones
* set default zone
* set zone for interfaces
* define rules

Change-Id: Id60e25e129e323f3c07e702bb81a11efc530fb3e
Story: 2008991
Task: 42644