This patch is removing chrony package
from docker host when containerized chrony is enabled.
It is also fixing issue with chrony container running
under Ubuntu docker host as noted below.

+ exec /usr/sbin/chronyd -d -f /etc/chrony/chrony.conf
2020-06-08T08:19:09Z chronyd version 3.4 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 -DEBUG)
2020-06-08T08:19:09Z Fatal error : Could not open configuration file /etc/chrony/chrony.conf : Permission denied

Added also removal apparmor profile for ubuntu when
containerized chrony is enabled, as chrony's package
is not removing apparmor profile, and therefore
containerized chrony is not working.

Change-Id: Icf3bbae38b9f5630b69d5c8cf6a8bee11786a836
Closes-Bug: #1882513

It is not used for quite a time.
Some ancient Kolla Ansible used to update host kernel.

Change-Id: I9cdc1ec47ad802b4d65a7b6438a335fc14639e05

If docker_storage_driver is set in globals.yml, then kolla-ansible
bootstrap-servers is run, it fails like so:

The conditional check 'docker_storage_driver' failed. The error was: error
while evaluating conditional (docker_storage_driver): 'devicemapper' is
undefined

Ansible does not like evaluating strings as conditionals. This change switches
to using the length filter.

Change-Id: Ib95cbdac2a659e7a0d5f113fe48046de3a39dcda
Closes-Bug: #1849691

Instead of changing Docker daemon command line let's change config
for Docker instead. In /etc/docker/daemon.json file as it should be.

Custom Docker options can be set with 'docker_custom_config' variable.

Old 'docker_custom_option' is still present but should be avoided.

Co-Authored-By: Radosław Piliszek <radoslaw.piliszek@gmail.com>
Change-Id: I1215e04ec15b01c0b43bac8c0e81293f6724f278

No need to touch the sudoers.d file each time
Creation and mode setting is handled by lineinfile itself

Change-Id: Ia36e21b04d3a08fab3c748f6298f142c1d73ee6d
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>

Several config file permissions are incorrect on the host. In general,
files should be 0660, and directories and executables 0770.

Change-Id: Id276ac1864f280554e98b937f2845bb424d521de
Closes-Bug: #1821579

When kolla-ansible bootstrap-servers is run, it executes one of the
following two tasks:

- name: Ensure node_config_directory directory exists for user kolla
  file:
    path: "{{ node_config_directory }}"
    state: directory
    recurse: true
    owner: "{{ kolla_user }}"
    group: "{{ kolla_group }}"
    mode: "0755"
  become: True
  when: create_kolla_user | bool

- name: Ensure node_config_directory directory exists
  file:
    path: "{{ node_config_directory }}"
    state: directory
    recurse: true
    mode: "0755"
  become: True
  when: not create_kolla_user | bool

On the first run, normally node_config_directory (/etc/kolla/) doesn't
exist, so it is created with kolla:kolla ownership and 0755 permissions.

If we then run 'kolla-ansible deploy', config files are created for
containers in this directory, e.g. /etc/kolla/nova-compute/. Permissions
for those files should be set according to 'config_owner_user' and
'config_owner_group'.

If at some point we again run kolla-ansible bootstrap-servers, it will
recursively set the ownership and permissions of all files in /etc/kolla
to kolla:kolla / 0755.

The solution is to change bootstrap-servers to not set the owner and
permissions recursively. It's also arguable that /etc/kolla should be
owned by 'config_owner_user' and 'config_owner_group', rather than
kolla:kolla, although that's a separate issue.

Change-Id: I24668914a9cedc94d5a6cb835648740ce9ce6e39
Closes-Bug: #1821599

In some cases we may want a configuration in which the kolla user's
primary group name is not the same as their username. Doing this
currently breaks the sudoers configuration, since user entries should
reference a user, or a group prefixed with a '%'.

There does not seem to be a good reason to give root privileges to the
entire group (which sometimes may be a shared group), so let's revert to
giving only the user root privileges.

See kayobe CI test [1] in which a different user and group were
configured, leading to permission denied when using kolla ansible.

[1] http://logs.openstack.org/53/581053/2/check/kayobe-overcloud-centos/a70168e

TrivialFix

Change-Id: I677778ebd0de58df0adfa2a8705f161ec5552283

In some environments it may not be desirable to modify the sudoers
configuration. This change makes this part of bootstrap-servers
optional, based on the create_kolla_user_sudoers variable.

Change-Id: I653403bfc5431741807edef57df58e05e679900b

This makes the bootstrap-servers command more idempotent, since without
the append argument set the kolla user will be removed from the docker
group before being added to it again in a later task.

TrivialFix

Change-Id: Iab0f6b5e18a103e9140631ee3ebbbb48c490bc24

In I86bf5e1df3d6568c4f1ca6f4757f08a3dd22754d, creation of the kolla user
was moved to after package installation to ensure the sudo package is
installed when required. This change does not work when python
dependencies are installed in a virtual environment however - when the
virtualenv variable is set.

This change moves the ownership change of the virtualenv to after the
kolla user has been created. It also uses the kolla_user and kolla_group
variables to set the user and group appropriately.

Change-Id: I320e5d611099ad162945a98d5505a79606da0eba
TrivialFix

sudo package is required when we use ubuntu base on centos to deploy.

The following tasks belong to the environment check after
installation of environment-related software packages.
So, move to the post-install module.

    Create kolla user
    Add public key to kolla user authorized keys
    Grant kolla user passwordless sudo
    Ensure node_config_directory directory exists for user kolla
    Ensure node_config_directory directory exists

Change-Id: I86bf5e1df3d6568c4f1ca6f4757f08a3dd22754d
Closes-Bug: #1777571

This patchset implements yamllint test to all *.yml
files.

Also fixes syntax errors to make jobs to pass.

Change-Id: I3186adf9835b4d0cada272d156b17d1bc9c2b799

Change-Id: I653e16270aab539edcec6d8622f0a1c06d04b492

use systemd module to reload the docker service, rather than
command

Change-Id: I2e3b2299365701a08de4025d6ad34cb492b33fda
Closes-Bug: #1751690

1.Fix the invalid value about selinux policy
2.Update description of task about selinux.The permissive mode
need enable selinux.The parameter named "disable_selinux" is not good.
In order to customize selinux modes, we need a new
parameter named "selinux_state".

Closes-Bug: #1749046
Change-Id: I20c084cf2e46cc0de149afbd34c6dcb77a1051f4

Enable docker-ce on AArch64 platform in Debian.
Set the docker daemon name according to the existing of "dockerd" binary.

Closes-Bug: #1734255

Co-authored-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>

Change-Id: Ie0b3bac72b408dccf3fb99912b4fe2d4788705e5
Signed-off-by: Tone.Zhang <tone.zhang@arm.com>

This patch includes three unrelated fixes.

Make qemu use nova user in centos
Libvirt 3.2.0 (latest version in centos) seems to
have changed behavior of dynamic_ownership.

Pin ansible to <2.4 to make ara work in gates
ARA does not work yet with ansible 2.4, this change
pins to lower version to make gates work.
Revert once ara works with 2.4

Disable selinux for oraclelinux and centos.

Co-Authored-By: wanghongxu <wang19930902@gmail.com>
Co-Authored-By: Jeffrey Zhang <jeffrey.zhang@99cloud.net>
Change-Id: Iac8bec19437192cd198d58f71c6ed0a65a76f820
Closes-bug: #1718541

Baremetal roles does not keep common sytax used
in rest of the roles, even it baremetal role some
tasks differs in syntax with each others.

Change-Id: Ib04fe123501e2a3e829176953f20719a253999d3

Change-Id: I0447e90f53f9b04315bc4e6618e528351521e05d
Closes-Bug: #1705558

* "bool" filter is removed when not required
* 'not' is used instead of '== False' check

Change-Id: I85a5bb9a5ea874ac1c397cbf8de416147d2424c3

Removed code try to install Wily(15.10) kernel in case of Ubuntu
Trusty(14.04).
Last Openstack version supported on Ubuntu 14.04 is Mitaka.
Hence Ubuntu 14.04 related code can be safely remove from Ansible tasks
since Kolla Newton release.

Co-Authored-By: Duong Ha-Quang <duonghq@vn.fujitsu.com>
Change-Id: Ieca7975a69fb0ba8b49cc522f05e4beca1c2f526

Removes precheck portion of NTP.
Corrects for redhat
Fixes typo

Change-Id: Ic8d2cd3c2ba02f9f672db862a74950dc73753f2d
Closes-Bug: #1700121

When you add new nodes to existing cluster, docker will restart
all anyway and that will break a lot, including mariadb.

Change-Id: Ie46f99a141f99480a87218ead4b76ba65f2edae9
Closes-Bug: #1699335

Change-Id: I1e90b0aeebaa0db0b91370eccfc0b707d9668752

make bool filter more consistence between all roles.

TrivialFix

Change-Id: Icd51749039b1448e09a4713da093b16f965f9ed8

TrivialFix

Change-Id: I2cc1441a5fcf9c09db01d17c840bb784f4db1c0e

TrivialFix

Change-Id: I778d0a55adf1302c7a6f0702fec3a381d851f3df

TrivialFix

Change-Id: Ifa6432f24d4eaa354b977b71a6dbcd5f5080e1b0

Change-Id: Ie70db1b18a73528b1194e4fbcf53d09fed20f4a0
Implements: blueprint kolla-host