Merge pull request #765 from stackhpc/2023.1-zed-merge

2023.1: zed merge

Author: markgoddard

.github/workflows/overcloud-host-image-build.yml

@@ -11,10 +11,6 @@ on:
         description: Build Ubuntu 22.04 Jammy
         type: boolean
         default: true
-      SMS:
-        description: Push images to SMS
-        type: boolean
-        default: true
     secrets:
       KAYOBE_VAULT_PASSWORD:
         required: true
@@ -166,7 +162,7 @@ jobs:
         env:
           OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }}
           OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }}
-        if: inputs.rocky9 && steps.build_rocky_9.outcome == 'success' && inputs.sms
+        if: inputs.rocky9 && steps.build_rocky_9.outcome == 'success'
 
       - name: Build an Ubuntu Jammy 22.04 overcloud host image
         id: build_ubuntu_jammy
@@ -210,7 +206,7 @@ jobs:
         env:
           OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }}
           OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }}
-        if: inputs.ubuntu-jammy && steps.build_ubuntu_jammy.outcome == 'success' && inputs.sms
+        if: inputs.ubuntu-jammy && steps.build_ubuntu_jammy.outcome == 'success'
 
       - name: Upload updated images artifact
         uses: actions/upload-artifact@v3

doc/source/configuration/cephadm.rst

@@ -308,6 +308,136 @@ should be used in the Kolla Manila configuration e.g.:
 
   manila_cephfs_filesystem_name: manila-cephfs
 
+RADOS Gateways
+--------------
+
+RADOS Gateways (RGWs) are defined with the following:
+
+.. code:: yaml
+
+  cephadm_radosgw_services:
+    - id: myrgw
+      count_per_host: 1
+      spec:
+        rgw_frontend_port: 8100
+
+The port chosen must not conflict with any other processes running on the Ceph
+hosts. Port 8100 does not conflict with our default suite of services.
+
+Ceph RGWs require additional configuration to:
+
+  * Support both S3 and Swift APIs.
+
+  * Authenticate user access via Keystone.
+
+  * Allow cross-project and public object access.
+
+The set of commands below configure all of these.
+
+.. code:: yaml
+
+  # Append the following to cephadm_commands_post:
+  - "config set client.rgw rgw_content_length_compat true"
+  - "config set client.rgw rgw_enable_apis 's3, swift, swift_auth, admin'"
+  - "config set client.rgw rgw_enforce_swift_acls true"
+  - "config set client.rgw rgw_keystone_accepted_admin_roles 'admin'"
+  - "config set client.rgw rgw_keystone_accepted_roles 'member, Member, _member_, admin'"
+  - "config set client.rgw rgw_keystone_admin_domain Default"
+  - "config set client.rgw rgw_keystone_admin_password {{ secrets_ceph_rgw_keystone_password }}"
+  - "config set client.rgw rgw_keystone_admin_project service"
+  - "config set client.rgw rgw_keystone_admin_user 'ceph_rgw'"
+  - "config set client.rgw rgw_keystone_api_version '3'"
+  - "config set client.rgw rgw_keystone_token_cache_size '10000'"
+  - "config set client.rgw rgw_keystone_url https://{{ kolla_internal_fqdn }}:5000"
+  - "config set client.rgw rgw_keystone_verify_ssl false"
+  - "config set client.rgw rgw_max_attr_name_len '1000'"
+  - "config set client.rgw rgw_max_attr_size '1000'"
+  - "config set client.rgw rgw_max_attrs_num_in_req '1000'"
+  - "config set client.rgw rgw_s3_auth_use_keystone true"
+  - "config set client.rgw rgw_swift_account_in_url true"
+  - "config set client.rgw rgw_swift_versioning_enabled true"
+
+As we have configured Ceph to respond to Swift APIs, you will need to tell
+Kolla to account for this when registering Swift endpoints with Keystone. Also,
+when ``rgw_swift_account_in_url`` is set, the equivalent Kolla variable should
+be set in Kolla ``globals.yml`` too:
+
+.. code:: yaml
+
+  ceph_rgw_swift_compatibility: false
+  ceph_rgw_swift_account_in_url: true
+
+``secrets_ceph_rgw_keystone_password`` should be stored in the Kayobe
+``secrets.yml``, and set to the same value as ``ceph_rgw_keystone_password`` in
+the Kolla ``passwords.yml``. As such, you will need to configure Keystone
+before deploying the RADOS gateways. If you are using the Kolla load balancer
+(see :ref:`RGWs-with-hyper-converged-Ceph` for more info), you can specify the
+``haproxy`` and ``loadbalancer`` tags here too.
+
+.. code:: yaml
+
+  kayobe overcloud service deploy -kt ceph-rgw,keystone,haproxy,loadbalancer
+
+
+.. _RGWs-with-hyper-converged-Ceph:
+
+RGWs with hyper-converged Ceph
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If you are using a hyper-converged Ceph setup (i.e. your OpenStack controllers
+and Ceph storage nodes share the same hosts), you should double-check that
+``rgw_frontend_port`` does not conflict with any processes on the controllers.
+For example, port 80 (and 443) will be bound to the Kolla-deployed haproxy. You
+should choose a custom port that does not conflict with any OpenStack endpoints
+too (``openstack endpoint list``).
+
+You may also want to use the Kolla-deployed haproxy to load balance your RGWs.
+This means you will not need to define any Ceph ingress services. Instead, you
+add definitions of your Ceph hosts to Kolla ``globals.yml``:
+
+.. code:: yaml
+
+  ceph_rgw_hosts:
+    - host: controller1
+      ip: <host IP on storage net>
+      port: 8100
+    - host: controller2
+      ip: <host IP on storage net>
+      port: 8100
+    - host: controller3
+      ip: <host IP on storage net>
+      port: 8100
+
+HA with Ingress services
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+Ingress services are defined with the following. ``id`` should match the name
+(not id) of the RGW service to which ingress will point to. ``spec`` is a
+service specification required by Cephadm to deploy the ingress (haproxy +
+keepalived pair).
+
+Note that the ``virtual_ip`` here must be different than the Kolla VIP. The
+choice of subnet will be dependent on your deployment, and can be outside
+of any Ceph networks.
+
+.. code:: yaml
+
+  cephadm_ingress_services:
+    - id: rgw.myrgw
+      spec:
+        frontend_port: 443
+        monitor_port: 1967
+        virtual_ip: 10.66.0.1/24
+        ssl_cert: {example_certificate_chain}
+
+When using ingress services, you will need to stop Kolla from configuring your
+RGWs to use the Kolla-deployed haproxy. Set the following in Kolla
+``globals.yml``:
+
+.. code:: yaml
+
+  enable_ceph_rgw_loadbalancer: false
+
 Deployment
 ==========
 
@@ -345,8 +475,14 @@ cephadm.yml playbook to perform post-deployment configuration:
 
    kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cephadm.yml
 
-The ``cephadm.yml`` playbook imports various other playbooks, which may
-also be run individually to perform specific tasks.
+The ``cephadm.yml`` playbook imports various other playbooks, which may also be
+run individually to perform specific tasks. Note that if you want to deploy
+additional services (such as RGWs or ingress) after an initial deployment, you
+will need to set ``cephadm_bootstrap`` to true. For example:
+
+.. code:: bash
+
+   kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cephadm.yml -e cephadm_bootstrap=true
 
 Configuration generation
 ------------------------

etc/kayobe/ansible/ovn-fix-chassis-priorities.yml

@@ -22,19 +22,19 @@
   hosts: "{{ ovn_nb_db_group | default('controllers') }}"
   tasks:
     - name: Find the OVN NB DB leader
-      command: docker exec -it ovn_nb_db ovn-nbctl get-connection
+      ansible.builtin.command: docker exec ovn_nb_db ovn-nbctl get-connection
       changed_when: false
       failed_when: false
       register: ovn_check_result
-      check_mode: no
+      check_mode: false
 
     - name: Group hosts by leader/follower role
-      group_by:
+      ansible.builtin.group_by:
         key: "ovn_nb_{{ 'leader' if ovn_check_result.rc == 0 else 'follower' }}"
       changed_when: false
 
     - name: Assert one leader exists
-      assert:
+      ansible.builtin.assert:
         that:
           - groups['ovn_nb_leader'] | default([]) | length == 1
 
@@ -47,23 +47,27 @@
     gateway_chassis_max_priority: "{{ ovn_nb_db_hosts_sorted | length }}"
   tasks:
     - name: Fix ha_chassis priorities
-      command: >-
-        docker exec -it ovn_nb_db
+      ansible.builtin.command: >-
+        docker exec ovn_nb_db
         bash -c '
         ovn-nbctl find ha_chassis chassis_name={{ item }} |
         awk '\''$1 == "_uuid" { print $3 }'\'' |
         while read uuid; do ovn-nbctl set ha_chassis $uuid priority={{ priority }}; done'
       loop: "{{ ovn_nb_db_hosts_sorted }}"
       vars:
         priority: "{{ ha_chassis_max_priority | int - ovn_nb_db_hosts_sorted.index(item) }}"
+      register: ha_chassis_command
+      changed_when: ha_chassis_command.rc == 0
 
     - name: Fix gateway_chassis priorities
-      command: >-
-        docker exec -it ovn_nb_db
+      ansible.builtin.command: >-
+        docker exec ovn_nb_db
         bash -c '
         ovn-nbctl find gateway_chassis chassis_name={{ item }} |
         awk '\''$1 == "_uuid" { print $3 }'\'' |
         while read uuid; do ovn-nbctl set gateway_chassis $uuid priority={{ priority }}; done'
       loop: "{{ ovn_nb_db_hosts_sorted }}"
       vars:
         priority: "{{ gateway_chassis_max_priority | int - ovn_nb_db_hosts_sorted.index(item) }}"
+      register: gateway_chassis_command
+      changed_when: gateway_chassis_command.rc == 0

etc/kayobe/ansible/requirements.yml

@@ -2,6 +2,10 @@
 collections:
   - name: stackhpc.cephadm
     version: 1.14.0
+  # NOTE: Pinning pulp.squeezer to 0.0.13 because 0.0.14+ depends on the
+  # pulp_glue Python library being installed.
+  - name: pulp.squeezer
+    version: 0.0.13
   - name: stackhpc.pulp
     version: 0.5.2
   - name: stackhpc.hashicorp

etc/kayobe/ansible/wazuh-agent.yml

@@ -5,3 +5,35 @@
   tasks:
     - import_role:
         name: "wazuh-ansible/wazuh-ansible/roles/wazuh/ansible-wazuh-agent"
+  post_tasks:
+    - name: Check if custom SCA policies directory exists
+      stat:
+        path: "{{ local_custom_sca_policies_path }}"
+      register: custom_sca_policies_folder
+      delegate_to: localhost
+
+    - name: Gather list of custom SCA policies
+      find:
+        paths: "{{ local_custom_sca_policies_path }}"
+        patterns: '*.yml'
+      delegate_to: localhost
+      register: custom_sca_policies
+      when: custom_sca_policies_folder.stat.exists
+
+    - name: Allow Wazuh agents to execute commands in SCA policies sent from the Wazuh manager
+      become: yes
+      blockinfile:
+        path: "/var/ossec/etc/local_internal_options.conf"
+        state: present
+        owner: wazuh
+        group: wazuh
+        block: sca.remote_commands=1
+      when: custom_sca_policies.files | length > 0
+      notify:
+        - Restart wazuh-agent
+
+  handlers:
+    - name: Restart wazuh-agent
+      service:
+        name: wazuh-agent
+        state: restarted

etc/kayobe/ansible/wazuh-manager.yml

@@ -65,16 +65,7 @@
           delegate_to: localhost
           register: custom_sca_policies
           when: custom_sca_policies_folder.stat.exists
-
-        - name: Allow Wazuh agents to execute commands in SCA policies sent from the Wazuh manager
-          blockinfile:
-            path: "/var/ossec/etc/local_internal_options.conf"
-            state: present
-            owner: wazuh
-            group: wazuh
-            block: |
-              sca.remote_commands=1
-          when: custom_sca_policies.files | length > 0
+          become: no
 
         - name: Copy custom SCA policy files to Wazuh manager
           copy:
@@ -124,7 +115,6 @@
     - name: Perform health check against filebeat
       command: filebeat test output
       changed_when: false
-      become: true
       retries: 2
 
   handlers:

etc/kayobe/bifrost.yml

@@ -5,11 +5,11 @@
 # Bifrost installation.
 
 # URL of Bifrost source code repository.
-kolla_bifrost_source_url: "{{ stackhpc_bifrost_source_url }}"
+#kolla_bifrost_source_url:
 
 # Version (branch, tag, etc.) of Bifrost source code repository. Default is
 # {{ openstack_branch }}.
-kolla_bifrost_source_version: "{{ stackhpc_bifrost_source_version }}"
+#kolla_bifrost_source_version:
 
 # Whether Bifrost uses firewalld. Default value is false to avoid conflicting
 # with iptables rules configured on the seed host by Kayobe.

etc/kayobe/cephadm.yml

@@ -86,8 +86,14 @@ cephadm_cluster_network: "{{ storage_mgmt_net_name | net_cidr }}"
 # stackhpc.cephadm.commands for format. Pre commands run before the rest of the
 # post-deployment configuration, post commands run after the rest of the
 # post-deployment configuration.
-#cephadm_commands_pre:
-#cephadm_commands_post:
+cephadm_commands_pre: "{{ cephadm_commands_pre_default + cephadm_commands_pre_extra }}"
+cephadm_commands_post: "{{ cephadm_commands_post_default + cephadm_commands_post_extra }}"
+
+cephadm_commands_pre_default: []
+cephadm_commands_pre_extra: []
+
+cephadm_commands_post_default: "{{ ['mgr module enable prometheus'] if kolla_enable_prometheus_ceph_mgr_exporter | bool else [] }}"
+cephadm_commands_post_extra: []
 
 ###############################################################################
 # Kolla Ceph auto-configuration.

etc/kayobe/inventory/group_vars/all/wazuh

@@ -0,0 +1,3 @@
+---
+# Ansible custom SCA policies directory
+local_custom_sca_policies_path: "{{ kayobe_env_config_path }}/wazuh/custom_sca_policies"

etc/kayobe/inventory/group_vars/wazuh-manager/wazuh-manager

@@ -21,9 +21,6 @@ indexer_node_master: true
 # Ansible control host certificate directory
 local_certs_path: "{{ kayobe_env_config_path }}/wazuh"
 
-# Ansible custom SCA policies directory
-local_custom_sca_policies_path: "{{ kayobe_env_config_path }}/wazuh/custom_sca_policies"
-
 # Indexer variables
 indexer_node_name: "{{ inventory_hostname }}"