Ansible Roles

Ansible Roles

Documentation for roles included in system-config

There are two types of roles. Top-level roles, kept in the roles/ directory, are available to be used as roles in Zuul jobs. This places some constraints on the roles, such as not being able to use plugins. Add

roles:
  - zuul: openstack-infra/system-config

to your job definition to source these roles.

Roles in playbooks/roles are designed to be run on the Infrastructure control-plane (i.e. from bridge.openstack.org). These roles are not available to be shared with Zuul jobs.

Role documentation

ansible-cron

Setup periodic runs of run_all.sh, which runs playbooks against bridge.o.o and all hosts.

Role Variables

update_cron_interval
update_cron_interval.minute
Default: 15
update_cron_interval.hour
Default: *
update_cron_interval.day
Default: *
update_cron_interval.month
Default: *
update_cron_interval.weekday
Default: *
base-repos

Set basic repository sources

Role Variables

  • None
base-server

Basic common server configuration

Role Variables

bastion_key_exclusive
Default: True

Whether the bastion ssh key is the only key allowed to ssh in as root.

cloud-launcher-cron

Setup periodic runs of run_cloud_launcher.sh, which runs the cloud setup playbook against our clouds.

Note that this runs in an independent cron beacuse we don’t need to run it as frequently as our normal ansible runs and this ansible process needs access to the all-clouds.yaml file which we don’t run the normal ansible runs with.

Role Variables

cloud_launcher_cron_interval
cloud_launcher_cron_interval.minute
Default: 0
cloud_launcher_cron_interval.hour
Default: */1
cloud_launcher_cron_interval.day
Default: *
cloud_launcher_cron_interval.month
Default: *
cloud_launcher_cron_interval.weekday
Default: *
configure-openstacksdk

Configure openstacksdk files

Configure openstacksdk files needed by nodepool and ansible.

Role Variables

openstacksdk_config_dir
Default: /etc/openstack
openstacksdk_config_owner
Default: root
openstacksdk_config_group
Default: root
openstacksdk_config_file
Default: {{ openstacksdk_config_dir }}/clouds.yaml
openstacksdk_config_template
disable-puppet-agent

Disable the puppet-agent service on a host

Role Variables

  • None
exim

Installs and configures the exim mail server

Role Variables

exim_aliases
Default: {}

A dictionary with keys being the email alias and the value being the address or comma separated list of addresses.

exim_routers
Default: []

A list of additional exim routers to define.

exim_transports
Default: []

A list of additional exim transports to define.

exim_local_domains
Default: "@"

Colon separated list of local domains.

exim_queue_interval
Default: 30m

How often should we run the queue.

exim_queue_run_max
Default: 5

Number of simultaneous queue runners.

exim_smtp_accept_max
Default: null

The maximum number of simultaneous incoming SMTP calls that Exim will accept. If the value is set to zero, no limit is applied. However, it is required to be non-zero if exim.exim_smtp_accept_max_per_host is set.

exim_smtp_accept_max_per_host
Default: null

Restrict the number of simultaneous IP connections from a single host (strictly, from a single IP address) to the Exim daemon. The option is expanded, to enable different limits to be applied to different hosts by reference to $sender_host_address. Once the limit is reached, additional connection attempts from the same host are rejected with error code 421. The option’s default value imposes no limit. If this option is set greater than zero, it is required that exim.exim_smtp_accept_max be non-zero.

install-ansible

Install and configure Ansible on a host via pip

Role Variables

  • None
iptables

Install and configure iptables

Role Variables

iptables_allowed_hosts
Default: []

A list of dictionaries, each item in the list is a rule to add for a host/port combination. The format of the dictionary is:

iptables_allowed_hosts.hostname

The hostname to allow. It will automatically be resolved, and all IP addresses will be added to the firewall.

iptables_allowed_hosts.protocol

One of “tcp” or “udp”.

iptables_allowed_hosts.port

The port number.

iptables_public_tcp_ports
Default: []

A list of public TCP ports to open.

iptables_public_udp_ports
Default: []

A list of public UDP ports to open.

iptables_rules_v4
Default: []

A list of iptables v4 rules. Each item is a string containing the iptables command line options for the rule.

iptables_rules_v6
Default: []

A list of iptables v6 rules. Each item is a string containing the iptables command line options for the rule.

kerberos-client

An ansible role to configure a kerberos client

Role Variables

kerberos_realm

The realm for Kerberos authentication. You must set the realm. e.g. MY.COMPANY.COM. This will be the default realm.

kerberos_admin_server
Default: {{ ansible_fqdn }}

The host where the administraion server is running. Typically this is the master Kerberos server.

kerberos_kdcs
Default: [ {{ ansible_fqdn }} ]

A list of key distribution center (KDC) hostnames for the realm.

logrotate

Add log rotation file

Note

This role does not manage the logrotate package or configuration directory, and it is assumed to be installed and available.

This role installs a log rotation file in /etc/logrotate.d/ for a given file.

For information on the directives see logrotate.conf(5). This is not an exhaustive list of directives (contributions are welcome).

** Role Variables **

logrotate_file_name

The log file on disk to rotate

logrotate_config_file_name
Default: Unique name based on :zuul:rolevar::`logrotate.logrotate_file_name`

The name of the configuration file in /etc/logrotate.d

logrotate_compress
Default: yes
logrotate_copytruncate
Default: yes
logrotate_delaycompress
Default: yes
logrotate_missingok
Default: yes
logrotate_rotate
Default: 7
logrotate_daily
Default: yes
logrotate_notifempty
Default: yes
minimal-nodepool

Create minimal nodepool requirements so that we can manage nodepool servers with ansible and puppet while we transition.

NOTE: THis likely isn’t what we want long term. Should have a proper nodepool role or use windmill.

Role Variables

  • None
openafs-client

An ansible role to configure an OpenAFS client

Note

This role uses system packages where available, but for platforms or architectures where they are not available will require external builds. Defaults will pick external packages from OpenStack Infra builds, but you should evaluate if this is suitable for your environment.

This role configures the host to be an OpenAFS client. Because OpenAFS is very reliant on distribution internals, kernel versions and host architecture this role has limited platform support. Currently supported are

  • Debian family with system packages available
  • Ubuntu Xenial with ARM64, with external 1.8 series packages
  • CentOS 7 with external packages

Role Variables

openafs_client_cell
Default: openstack.org

The default cell

openafs_client_cache_size
Default: 500000

The AFS client cache size, in kilobytes

openafs_client_yum_repo_url
Default: ``https://tarballs.openstack.org/project-config/package-afs-centos7``

The URL to a yum/dnf repository with the OpenAFS client RPMs. These are assumed to be created from the .spec file included in the OpenAFS distribution.

openafs_client_yum_repo_gpg_check
Default: no

Enable or disable gpg checking for openafs_yum_repo_url

openafs_client_apt_repo
Default: ppa:openstack-ci-core/openafs-arm64

Source string for APT repository for Debian family hosts requiring external packages (currently ARM64)

pip3

Install system packages for python3 pip and virtualenv

Role Variables

  • None
puppet-install

Install puppet on a host

Note

This role uses puppetlabs versions where available in preference to system packages.

This roles installs puppet on a host

Role Variables

puppet_install_version
Default: 3

The puppet version to install. Platform support for various version varies.

puppet_install_system_config_modules
Default: yes

If we should clone and run install_modules.sh from OpenStack Infra system-config repository to populate required puppet modules on the host.

root-keys

Write out root SSH private key

Role Variables

root_rsa_key

The root key to place in /root/.ssh/id_rsa

set-hostname

Set hostname

Remove cloud-init and statically set the hostname, hosts and mailname

Role Variables

  • None
snmpd

Installs and configures the net-snmp daemon

timezone

Configures timezone to Etc/UTC and restarts crond when changed.

Role Variables

  • None
unbound

Installs and configures the unbound DNS resolver

users

Configure users on a server

Configure users on a server. Users are given sudo access

Role Variables

all_users
Default: {}

Dictionary of all users. Each user needs a uid, gid and key

base_users
Default: []

Users to install on all hosts

extra_users
Default: []

Extra users to install on a specific host or group

disabled_users
Default: []

Users who should be removed from all hosts

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.