diff --git a/ansible/inventory/group_vars/all/inspector b/ansible/inventory/group_vars/all/inspector index b65faaf80..b26110112 100644 --- a/ansible/inventory/group_vars/all/inspector +++ b/ansible/inventory/group_vars/all/inspector @@ -114,6 +114,9 @@ inspector_rule_var_redfish_password: # Redfish CA setting. inspector_rule_var_redfish_verify_ca: True +# Log Ironic inspector rules marked sensitive. +ironic_inspector_sensitive_rule_no_log: True + # Ironic inspector rule to set IPMI credentials. inspector_rule_ipmi_credentials: description: "Set IPMI driver_info if no credentials" diff --git a/ansible/inventory/group_vars/all/kolla b/ansible/inventory/group_vars/all/kolla index 411b116e6..dfdd4f6b6 100644 --- a/ansible/inventory/group_vars/all/kolla +++ b/ansible/inventory/group_vars/all/kolla @@ -256,6 +256,8 @@ overcloud_container_image_regex_map: enabled: "{{ kolla_enable_cinder | bool or kolla_enable_ironic | bool }}" - regex: ^trove enabled: "{{ kolla_enable_trove | bool }}" + - regex: ^valkey + enabled: "{{ kolla_enable_valkey | bool }}" - regex: ^watcher enabled: "{{ kolla_enable_watcher | bool }}" - regex: ^zun @@ -580,6 +582,7 @@ kolla_enable_swift: "no" kolla_enable_tacker: "no" kolla_enable_telegraf: "no" kolla_enable_trove: "no" +kolla_enable_valkey: "no" kolla_enable_vitrage: "no" kolla_enable_watcher: "no" kolla_enable_zun: "no" diff --git a/ansible/roles/etc-hosts/defaults/main.yml b/ansible/roles/etc-hosts/defaults/main.yml index abc8435f6..3d880182b 100644 --- a/ansible/roles/etc-hosts/defaults/main.yml +++ b/ansible/roles/etc-hosts/defaults/main.yml @@ -4,3 +4,8 @@ customize_etc_hosts: true # List of hosts to add to /etc/hosts. etc_hosts_hosts: "{{ groups['overcloud'] }}" + +# Dictionary of custom /etc/hosts entries. +# Each key is added as a hostname, +# Each value is added as an IP. +custom_etc_hosts_entries: {} diff --git a/ansible/roles/etc-hosts/tasks/etc-hosts.yml b/ansible/roles/etc-hosts/tasks/etc-hosts.yml index 19b45db51..59680a226 100644 --- a/ansible/roles/etc-hosts/tasks/etc-hosts.yml +++ b/ansible/roles/etc-hosts/tasks/etc-hosts.yml @@ -31,6 +31,9 @@ {{ hostvars[host].internal_net_name | net_ip(inventory_hostname=host) }} {{ hostnames | unique | join(' ') }} {% endif %} {% endfor %} + {% for item in custom_etc_hosts_entries | dict2items %} + {{ item.value }} {{ item.key }} + {% endfor %} become: True when: # Skip hosts that do not have a valid internal network interface. diff --git a/ansible/roles/ironic-inspector-rules/defaults/main.yml b/ansible/roles/ironic-inspector-rules/defaults/main.yml index fd36cc0cf..fb8541fe7 100644 --- a/ansible/roles/ironic-inspector-rules/defaults/main.yml +++ b/ansible/roles/ironic-inspector-rules/defaults/main.yml @@ -23,3 +23,6 @@ ironic_inspector_interface: # List of rules which should exist. See the Inspector rules API for details of # parameters available for rules. ironic_inspector_rules: [] + +# Set no_log for inspector rules marked sensitive +ironic_inspector_sensitive_rule_no_log: diff --git a/ansible/roles/ironic-inspector-rules/tasks/main.yml b/ansible/roles/ironic-inspector-rules/tasks/main.yml index 41a1aab7e..d89a77555 100644 --- a/ansible/roles/ironic-inspector-rules/tasks/main.yml +++ b/ansible/roles/ironic-inspector-rules/tasks/main.yml @@ -16,4 +16,9 @@ state: present loop_control: label: "{{ ironic_inspector_rules[item].description }}" + no_log: >- + {{ + (ironic_inspector_rules[item].sensitive | default(False)) + and ironic_inspector_sensitive_rule_no_log + }} with_items: "{{ range(0, ironic_inspector_rules | length) | list }}" diff --git a/ansible/roles/kolla-ansible/templates/overcloud-components.j2 b/ansible/roles/kolla-ansible/templates/overcloud-components.j2 index 6734b619b..f8c90e2cb 100644 --- a/ansible/roles/kolla-ansible/templates/overcloud-components.j2 +++ b/ansible/roles/kolla-ansible/templates/overcloud-components.j2 @@ -36,19 +36,9 @@ monitoring [etcd:children] control -[influxdb:children] -monitoring - [prometheus:children] monitoring -[telegraf:children] -compute -control -monitoring -network -storage - [hacluster:children] control @@ -151,6 +141,10 @@ control [skyline:children] control +# TODO(vurmil): Remove after G/2026.1 release as Redis migration is no longer required +[redis:children] +control + [valkey:children] control diff --git a/ansible/roles/kolla-ansible/templates/overcloud-services.j2 b/ansible/roles/kolla-ansible/templates/overcloud-services.j2 index 086045cb1..c02c2333d 100644 --- a/ansible/roles/kolla-ansible/templates/overcloud-services.j2 +++ b/ansible/roles/kolla-ansible/templates/overcloud-services.j2 @@ -18,12 +18,16 @@ common [fluentd:children] common -[kolla-logs:children] -common - [kolla-toolbox:children] common +[kolla_logs:children] +control +network +compute +storage +monitoring + [opensearch:children] control @@ -410,6 +414,9 @@ monitoring [prometheus-libvirt-exporter:children] compute +[prometheus-valkey-exporter:children] +valkey + [masakari-api:children] control diff --git a/doc/source/configuration/reference/hosts.rst b/doc/source/configuration/reference/hosts.rst index 95ce37523..c7bb98736 100644 --- a/doc/source/configuration/reference/hosts.rst +++ b/doc/source/configuration/reference/hosts.rst @@ -1553,6 +1553,15 @@ follows: etc_hosts_gather_facts: false +Custom entries can be added to the ``custom_etc_hosts_entries`` dictionary. +Each key is treated as a hostname and each value is the IP, for example: + +.. code-block:: yaml + + custom_etc_hosts_entries: + foo.exaple.com: 1.2.3.4 + bar.exaple.com: 5.6.7.8 + Installing packages required by Kolla Ansible ============================================= *tags:* diff --git a/etc/kayobe/inspector.yml b/etc/kayobe/inspector.yml index 926316b71..a39242a37 100644 --- a/etc/kayobe/inspector.yml +++ b/etc/kayobe/inspector.yml @@ -98,6 +98,9 @@ # Redfish CA setting. Set to 'True' by default #inspector_rule_var_redfish_verify_ca: +# Log Ironic inspector rules marked sensitive. Set to 'True' by default +#ironic_inspector_sensitive_rule_no_log: + # Ironic inspector rule to set IPMI credentials. #inspector_rule_ipmi_credentials: diff --git a/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 index b0e4cd21d..b3fd5fcd8 100644 --- a/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 +++ b/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 @@ -231,3 +231,7 @@ compute_libvirt_sasl_password: "{% raw %}{{ lookup('password', '/tmp/libvirt-sas dnf_use_local_mirror: true controller_fail2ban_enabled: true {% endif %} + +# Add a custom entry to /etc/hosts. +custom_etc_hosts_entries: + foo.example.com: 127.0.0.88 diff --git a/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py b/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py index f8e394909..977fbc89e 100644 --- a/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py +++ b/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py @@ -374,3 +374,10 @@ def test_swap(host): assert len(swapon) > 1 swap_devs = [swap.split()[0] for swap in swapon[1:]] assert "/swapfile" in swap_devs + + +def test_etc_hosts(host): + hosts_entries = host.check_output("cat /etc/hosts") + assert "127.0.0.88 foo.example.com" in hosts_entries + ping_result = host.check_output("ping -c 1 foo.example.com") + assert "1 received" in ping_result diff --git a/releasenotes/notes/build-valkey-image-7b4ff265ecb5aba5.yaml b/releasenotes/notes/build-valkey-image-7b4ff265ecb5aba5.yaml new file mode 100644 index 000000000..1d6534477 --- /dev/null +++ b/releasenotes/notes/build-valkey-image-7b4ff265ecb5aba5.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + ``valkey`` images are now built when ``kolla_enable_valkey`` is set to + ``true``. diff --git a/releasenotes/notes/custom-etc-hosts-f85fcff9aac727aa.yaml b/releasenotes/notes/custom-etc-hosts-f85fcff9aac727aa.yaml new file mode 100644 index 000000000..a720d0f3d --- /dev/null +++ b/releasenotes/notes/custom-etc-hosts-f85fcff9aac727aa.yaml @@ -0,0 +1,8 @@ +--- +features: + - | + Added a new variable, ``custom_etc_hosts_entries``, for appending entries + to ``/etc/hosts``. This is a generic mechanism which, unlike + ``etc_hosts_hosts``, can be used to add hosts outside of the Kayobe + inventory. ``custom_etc_hosts_entries`` is a dictionary, where each key is + a hostname and each value is an IP. diff --git a/releasenotes/notes/deprecate-kolla-tags-and-kolla-limits-254faef5584176e1.yaml b/releasenotes/notes/deprecate-kolla-tags-and-kolla-limits-254faef5584176e1.yaml new file mode 100644 index 000000000..6783f5e47 --- /dev/null +++ b/releasenotes/notes/deprecate-kolla-tags-and-kolla-limits-254faef5584176e1.yaml @@ -0,0 +1,22 @@ +--- +features: + - | + Added the tag ``bifrost`` to ``kolla-bifrost.yml`` so that we can easily + limit to Bifrost in ``kayobe seed service deploy``. + - | + Deprecated the options ``--kolla-tags`` and ``kolla-limit`` for all + commands. Regular ``--tags`` and ``--limit`` will now be passed directly to + the Kolla-Ansible invocations. Added the tag ``kayobe-generate-config`` to + ``kolla-ansible.yml`` and ``kolla-openstack.yml``. This tag is now always + called, to allow for limiting to OpenStack services with just one tag, e.g. + ``kayobe overcloud service deploy -t nova``. You can still skip this with + ``--skip-tags kayobe-generate-config``. +upgrade: + - | + Deprecated the options ``--kolla-tags`` and ``kolla-limit`` for all + commands. Regular ``--tags`` and ``--limit`` will now be passed directly to + the Kolla-Ansible invocations. Added the tag ``kayobe-generate-config`` to + ``kolla-ansible.yml`` and ``kolla-openstack.yml``. This tag is now always + called, to allow for limiting to OpenStack services with just one tag, e.g. + ``kayobe overcloud service deploy -t nova``. You can still skip this with + ``--skip-tags kayobe-generate-config``. diff --git a/releasenotes/notes/drop-kolla-tags-and-kolla-limits-254faef5584176e1.yaml b/releasenotes/notes/drop-kolla-tags-and-kolla-limits-254faef5584176e1.yaml deleted file mode 100644 index 854451fbd..000000000 --- a/releasenotes/notes/drop-kolla-tags-and-kolla-limits-254faef5584176e1.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -features: - - | - Added the tag ``bifrost`` to ``kolla-bifrost.yml`` so that we can easily - limit to Bifrost in ``kayobe seed service deploy``. - - | - Removed the options ``--kolla-tags`` and ``kolla-limit`` from all commands. - Regular ``--tags`` and ``--limit`` will now be passed directly to the - Kolla-Ansible invocations. Added the tag ``kayobe-generate-config`` to - ``kolla-ansible.yml`` and ``kolla-openstack.yml``. This tag is now always - called, to allow for limiting to OpenStack services with just one tag, e.g. - ``kayobe overcloud service deploy -t nova`. You can still skip this with - ``--skip-tags kayobe-generate-config``. -upgrade: - - | - Removed the options ``--kolla-tags`` and ``kolla-limit`` from all commands. - Regular ``--tags`` and ``--limit`` will now be passed directly to the - Kolla-Ansible invocations. Added the tag ``kayobe-generate-config`` to - ``kolla-ansible.yml`` and ``kolla-openstack.yml``. This tag is now always - called, to allow for limiting to OpenStack services with just one tag, e.g. - ``kayobe overcloud service deploy -t nova`. You can still skip this with - ``--skip-tags kayobe-generate-config``. diff --git a/releasenotes/notes/no-log-sensitive-inspector-rules-6d6edfcae25feb82.yaml b/releasenotes/notes/no-log-sensitive-inspector-rules-6d6edfcae25feb82.yaml new file mode 100644 index 000000000..f1548210b --- /dev/null +++ b/releasenotes/notes/no-log-sensitive-inspector-rules-6d6edfcae25feb82.yaml @@ -0,0 +1,4 @@ +--- +security: + - | + Prevents sensitive inspector rules from appearing in ansible output. diff --git a/roles/kayobe-ci-prep/tasks/main.yml b/roles/kayobe-ci-prep/tasks/main.yml index 1fe4da1d3..c44508217 100644 --- a/roles/kayobe-ci-prep/tasks/main.yml +++ b/roles/kayobe-ci-prep/tasks/main.yml @@ -1,4 +1,10 @@ --- +- name: Set Rocky Linux mirror to download.rockylinux.org + become: true + ansible.builtin.shell: + cmd: sed -i 's/mirrorlist/#mirrorlist/g; s/#baseurl/baseurl/g' /etc/yum.repos.d/rocky.repo + when: ansible_facts.distribution == "Rocky" + - block: - name: Install dbus for debian system apt: @@ -25,7 +31,7 @@ name: dnf-plugins-core state: present - - name: Enable the EPEL repository + - name: Disable the EPEL repository command: dnf config-manager --disable epel - name: Install packages needed for unprivileged mode diff --git a/tox.ini b/tox.ini index ed74876cd..71ce94a0d 100644 --- a/tox.ini +++ b/tox.ini @@ -92,7 +92,7 @@ commands = setenv = {[testenv:linters]setenv} deps = {[testenv:linters]deps} commands = - ansible-lint -p --exclude etc --exclude kayobe/plugins --exclude playbooks --exclude releasenotes --exclude roles --exclude zuul.d --exclude ansible/idrac-bootstrap.yml --exclude .ansible --exclude ansible/roles/*.* --exclude ansible/collections + ansible-lint -f pep8 --exclude etc --exclude kayobe/plugins --exclude playbooks --exclude releasenotes --exclude roles --exclude zuul.d --exclude ansible/idrac-bootstrap.yml --exclude .ansible --exclude ansible/roles/*.* --exclude ansible/collections [testenv:ansible-syntax] commands =