---
- name: Check nova keyring file
vars:
keyring: "{{ nova_ceph_cluster }}.{{ ceph_nova_keyring }}"
paths:
- "{{ node_custom_config }}/nova/{{ inventory_hostname }}/{{ keyring }}"
- "{{ node_custom_config }}/nova/{{ keyring }}"
stat:
path: "{{ lookup('first_found', paths) }}"
delegate_to: localhost
register: nova_cephx_keyring_file
failed_when: not nova_cephx_keyring_file.stat.exists
when:
- nova_backend == "rbd"
- external_ceph_cephx_enabled | bool
- name: Check cinder keyring file
vars:
keyring: "{{ nova_ceph_cluster }}.{{ ceph_cinder_keyring }}"
paths:
- "{{ node_custom_config }}/nova/{{ inventory_hostname }}/{{ keyring }}"
- "{{ node_custom_config }}/nova/{{ keyring }}"
stat:
path: "{{ lookup('first_found', paths) }}"
delegate_to: localhost
register: cinder_cephx_keyring_file
failed_when: not cinder_cephx_keyring_file.stat.exists
when:
- cinder_backend_ceph | bool
- external_ceph_cephx_enabled | bool
- name: Extract nova key from file
set_fact:
nova_cephx_raw_key:
"{{ lookup('template', nova_cephx_keyring_file.stat.path) | regex_search('key\\s*=.*$', multiline=True) | regex_replace('key\\s*=\\s*(.*)\\s*', '\\1') }}"
changed_when: false
when:
- nova_backend == "rbd"
- external_ceph_cephx_enabled | bool
- name: Extract cinder key from file
set_fact:
cinder_cephx_raw_key:
"{{ lookup('template', cinder_cephx_keyring_file.stat.path) | regex_search('key\\s*=.*$', multiline=True) | regex_replace('key\\s*=\\s*(.*)\\s*', '\\1') }}"
changed_when: false
when:
- cinder_backend_ceph | bool
- external_ceph_cephx_enabled | bool
- name: Copy over ceph nova keyring file
template:
src: "{{ nova_cephx_keyring_file.stat.path }}"
dest: "{{ node_config_directory }}/{{ item }}/"
owner: "{{ config_owner_user }}"
group: "{{ config_owner_group }}"
mode: "0660"
become: true
with_items:
- nova-compute
when:
- inventory_hostname in groups[nova_cell_compute_group]
- nova_backend == "rbd"
- external_ceph_cephx_enabled | bool
notify:
- Restart {{ item }} container
- name: Copy over ceph cinder keyring file
template:
src: "{{ cinder_cephx_keyring_file.stat.path }}"
dest: "{{ node_config_directory }}/{{ item }}/"
owner: "{{ config_owner_user }}"
group: "{{ config_owner_group }}"
mode: "0660"
become: true
with_items: # NOTE: nova-libvirt does not need it
- nova-compute
when:
- inventory_hostname in groups[nova_cell_compute_group]
- nova_backend == "rbd"
- external_ceph_cephx_enabled | bool
notify:
- Restart {{ item }} container
- name: Copy over ceph.conf
vars:
service: "{{ nova_cell_services[item] }}"
paths:
- "{{ node_custom_config }}/nova/{{ inventory_hostname }}/{{ nova_ceph_cluster }}.conf"
- "{{ node_custom_config }}/nova/{{ nova_ceph_cluster }}.conf"
template:
src: "{{ lookup('first_found', paths) }}"
dest: "{{ node_config_directory }}/{{ item }}/"
owner: "{{ config_owner_user }}"
group: "{{ config_owner_group }}"
mode: "0660"
become: true
with_items:
- nova-compute
- nova-libvirt
when:
- service | service_enabled_and_mapped_to_host
- nova_backend == "rbd"
notify:
- Restart {{ item }} container
- block:
- name: Ensure /etc/ceph directory exists (host libvirt)
vars:
paths:
- "{{ node_custom_config }}/nova/{{ inventory_hostname }}/{{ nova_ceph_cluster }}.conf"
- "{{ node_custom_config }}/nova/{{ nova_ceph_cluster }}.conf"
file:
path: "/etc/ceph/"
state: "directory"
owner: "root"
group: "root"
mode: "0755"
become: true
- name: Copy over ceph.conf (host libvirt)
vars:
paths:
- "{{ node_custom_config }}/nova/{{ inventory_hostname }}/{{ nova_ceph_cluster }}.conf"
- "{{ node_custom_config }}/nova/{{ nova_ceph_cluster }}.conf"
template:
src: "{{ lookup('first_found', paths) }}"
dest: "/etc/ceph/{{ nova_ceph_cluster }}.conf"
owner: "root"
group: "root"
mode: "0644"
become: true
when:
- not enable_nova_libvirt_container | bool
- inventory_hostname in groups[nova_cell_compute_group]
- nova_backend == "rbd"
- block:
- name: Ensuring libvirt secrets directory exists
vars:
service: "{{ nova_cell_services['nova-libvirt'] }}"
file:
path: "{{ libvirt_secrets_dir }}"
state: "directory"
owner: "{{ config_owner_user }}"
group: "{{ config_owner_group }}"
mode: "0770"
become: true
when: service | service_enabled_and_mapped_to_host
- name: Pushing nova secret xml for libvirt
vars:
service: "{{ nova_cell_services['nova-libvirt'] }}"
template:
src: "secret.xml.j2"
dest: "{{ libvirt_secrets_dir }}/{{ item.uuid }}.xml"
owner: "{{ config_owner_user }}"
group: "{{ config_owner_group }}"
mode: "0600"
become: true
when: service | service_enabled_and_mapped_to_host
with_items:
- uuid: "{{ rbd_secret_uuid }}"
name: "client.nova secret"
enabled: "{{ nova_backend == 'rbd' }}"
- uuid: "{{ cinder_rbd_secret_uuid }}"
name: "client.cinder secret"
enabled: "{{ cinder_backend_ceph }}"
notify: "{{ libvirt_restart_handlers }}"
- name: Pushing secrets key for libvirt
vars:
service: "{{ nova_cell_services['nova-libvirt'] }}"
template:
src: "libvirt-secret.j2"
dest: "{{ libvirt_secrets_dir }}/{{ item.uuid }}.base64"
owner: "{{ config_owner_user }}"
group: "{{ config_owner_group }}"
mode: "0600"
become: true
when:
- service | service_enabled_and_mapped_to_host
- item.enabled | bool
- external_ceph_cephx_enabled | bool
with_items:
# NOTE(yoctozepto): 'default' filter required due to eager evaluation of item content
# which will be undefined if the applicable condition is False
- uuid: "{{ rbd_secret_uuid }}"
result: "{{ nova_cephx_raw_key | default }}"
enabled: "{{ nova_backend == 'rbd' }}"
- uuid: "{{ cinder_rbd_secret_uuid }}"
result: "{{ cinder_cephx_raw_key | default }}"
enabled: "{{ cinder_backend_ceph }}"
notify: "{{ libvirt_restart_handlers }}"
no_log: True
vars:
libvirt_secrets_dir: >-
{{ (node_config_directory ~ '/nova-libvirt/secrets')
if enable_nova_libvirt_container | bool
else '/etc/libvirt/secrets' }}
# NOTE(mgoddard): When running libvirt as a host daemon, on CentOS it
# appears to pick up secrets automatically, while on Ubuntu it requires a
# reload. This may be due to differences in tested versions of libvirt
# (8.0.0 vs 6.0.0). Reload should be low overhead, so do it always.
libvirt_restart_handlers: >-
{{ ['Restart nova-libvirt container']
if enable_nova_libvirt_container | bool else
['Reload libvirtd'] }}