Merge branch 'ceph:main' into s390x_m1306008_m130603X

.ansible-lint

@@ -0,0 +1,25 @@
+---
+skip_list:
+  - command-instead-of-module
+  - command-instead-of-shell
+  - deprecated-command-syntax
+  - deprecated-local-action
+  - empty-string-compare
+  - experimental
+  - fqcn[action-core]
+  - fqcn[action]
+  - git-latest
+  - jinja
+  - literal-compare
+  - load-failure
+  - meta-no-info
+  - name[casing]
+  - no-changed-when
+  - no-handler
+  - no-jinja-when
+  - no-relative-paths
+  - package-latest
+  - risky-file-permissions
+  - risky-shell-pipe
+  - role-name
+  - unnamed-task

.github/workflows/tests.yml

@@ -0,0 +1,38 @@
+name: tests
+
+on: [push, pull_request]
+
+jobs:
+  syntax-check:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Install ansible
+      run: |
+        sudo apt-get update
+        sudo apt-get purge ansible
+        sudo apt-get install python3-setuptools
+        pip3 install ansible --user
+    - name: ansible-playbook syntax check
+      run: |
+        export PATH=$PATH:$HOME/.local/bin
+        sed -i /^vault_password_file/d ansible.cfg
+        ansible-playbook -i localhost, cephlab.yml --syntax-check
+  ansible-lint:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Install ansible-lint
+      run: |
+        sudo apt-get update
+        sudo apt-get purge ansible
+        sudo apt-get install python3-setuptools
+        # This pinned ansible version should match teuthology's
+        # requirements.txt.
+        # And we choose an ansible-lint version to be compatible with this
+        # Ansible version.
+        pip3 install ansible==2.10.7 ansible-lint[core]==5.4.0 --user
+    - name: Run ansible-lint
+      run: |
+        export PATH=$PATH:$HOME/.local/bin
+        ansible-lint -v roles/*

cobbler.yml

@@ -45,6 +45,7 @@
     - { role: cobbler_profile, distro_name: CentOS-8.2-x86_64, tags: ['centos8.2'] }
     - { role: cobbler_profile, distro_name: CentOS-8.3-x86_64, tags: ['centos8.3'] }
     - { role: cobbler_profile, distro_name: CentOS-8.4-x86_64, tags: ['centos8.4'] }
+    - { role: cobbler_profile, distro_name: CentOS-8.5-x86_64, tags: ['centos8.5'] }
     - { role: cobbler_profile, distro_name: CentOS-8.stream-x86_64, tags: ['centos8.stream'] }
     - { role: cobbler_profile, distro_name: CentOS-9.stream-x86_64, tags: ['centos9.stream'] }
     - { role: cobbler_profile, distro_name: Ubuntu-12.04-server-x86_64, tags: ['ubuntu-precise'] }
@@ -56,5 +57,6 @@
     - { role: cobbler_profile, distro_name: openSUSE-15.0-x86_64, tags: ['opensuse-15.0'] }
     - { role: cobbler_profile, distro_name: openSUSE-15.1-x86_64, tags: ['opensuse-15.1'] }
     - { role: cobbler_profile, distro_name: openSUSE-15.2-x86_64, tags: ['opensuse-15.2'] }
+    - { role: cobbler_profile, distro_name: VMware-ESXi-7.0-x86_64, tags: ['esxi-7.0'] }
     - cobbler_systems
   become: true

roles/cobbler/tasks/settings.yml

@@ -28,5 +28,5 @@
   when: users_digest is changed or dynamic_settings is changed or server_value is changed
 
 - name: Update settings
-  command: cobbler setting edit --name={{ item.name }} --value={{ item.value}}
+  command: cobbler setting edit --name={{ item.name }} --value={{ item.value }}
   with_items: "{{ settings }}"

roles/cobbler/templates/triggers/install/post/cephlab_ansible.sh

@@ -1,6 +1,14 @@
 #!/bin/bash
 ## {{ ansible_managed }}
 set -ex
+
+# Cobbler on CentOS 7 in May 2023 needed a later python than the default 3.6
+# check for SCL 3.8 and enable if so.  scl enable starts a child shell; the undocumented
+# scl_source sets the environment variables (PATH, LD_LIBRARY_PATH, MANPATH, PKG_CONFIG_PATH,
+# and XDG_DATA_DIRS) in the current shell.
+
+if scl -l | grep -s rh-python38 >/dev/null 2>&1 ; then source scl_source enable rh-python38; fi
+
 name=$2
 profile=$(cobbler system dumpvars --name $2 | grep profile_name | cut -d ':' -f2)
 export USER=root

roles/cobbler_profile/defaults/main.yml

@@ -1,7 +1,7 @@
 ---
 distros:
-  # Distros with empty iso values will be skipped. These dicts will be 
-  # updated with same-named items in an 'extra_distros' var, which can be 
+  # Distros with empty iso values will be skipped. These dicts will be
+  # updated with same-named items in an 'extra_distros' var, which can be
   # set in the secrets repo.
   "inktank-rescue":
       iso: ""
@@ -135,6 +135,10 @@ distros:
       iso: http://packages.oit.ncsu.edu/centos/8.4.2105/isos/x86_64/CentOS-8.4.2105-x86_64-dvd1.iso
       sha256: 0394ecfa994db75efc1413207d2e5ac67af4f6685b3b896e2837c682221fd6b2
       kickstart: cephlab_rhel.ks
+  "CentOS-8.5-x86_64":
+      iso: https://mirror.cs.pitt.edu/centos-vault/8.5.2111/isos/x86_64/CentOS-8.5.2111-x86_64-dvd1.iso
+      sha256: 3b795863001461d4f670b0dedd02d25296b6d64683faceb8f2b60c53ac5ebb3e
+      kickstart: cephlab_rhel.ks
   "Ubuntu-12.04-server-x86_64":
       iso: "http://releases.ubuntu.com/12.04/ubuntu-12.04.5-server-amd64.iso"
       sha256: af224223de99e2a730b67d7785b657f549be0d63221188e105445f75fb8305c9

roles/cobbler_profile/tasks/download_iso.yml

@@ -7,6 +7,6 @@
   get_url:
       url={{ distro.iso }}
       dest={{ iso_path }}
-      sha256sum={{ distro.sha256 }}
+      checksum=sha256:{{ distro.sha256 }}
   when: profile is defined and profile.stdout == ''
   register: download

roles/common/README.rst

@@ -49,8 +49,6 @@ your own local epel mirror.
 ``enable_epel`` is a boolean that sets whether epel repos should be enabled.
 Defined in ``roles/common/defaults/main.yml``.
 
-``beta_repos`` is a dict of internal Red Hat beta repos used to create repo files in /etc/yum.repos.d.  We have these defined in the secrets repo.  See ``epel_repos`` for dict syntax.
-
 ``yum_timeout`` is an integer used to set the yum timeout.  Defined in
 ``roles/common/defaults/main.yml``.
 

roles/common/defaults/main.yml

@@ -18,23 +18,16 @@ epel_mirror_baseurl: "http://dl.fedoraproject.org/pub/epel"
 epel_repos:
   epel:
     name: "Extra Packages for Enterprise Linux"
-    mirrorlist: file:///etc/yum.repos.d/epel-mirrorlist
+    metalink: "https://mirrors.fedoraproject.org/metalink?repo=epel-{{ ansible_distribution_major_version }}&arch=$basearch&infra=$infra&content=$contentdir"
     # ternary requires ansible >= 1.9
     enabled: "{{ enable_epel | ternary(1, 0) }}"
     gpgcheck: 0
   epel-testing:
     name: "Extra Packages for Enterprise Linux - Testing"
-    mirrorlist: file:///etc/yum.repos.d/epel-testing-mirrorlist
+    metalink: "https://mirrors.fedoraproject.org/metalink?repo=testing-epel{{ ansible_distribution_major_version }}&arch=$basearch&infra=$infra&content=$contentdir"
     enabled: 0
     gpgcheck: 0
 
-# Override in secrets repo
-beta_repos: {}
-
-# Default to false.  A task in roles/common/tasks/yum_systems.yml
-# will set this to true if lsb_release indicates the distro is an Alpha/Beta release
-beta_distro: false
-
 enable_epel: true
 yum_timeout: 300
 

roles/common/tasks/epel.yml

@@ -16,17 +16,6 @@
   register: epel_repo
   with_dict: "{{ epel_repos }}"
 
-- name: Configure local epel mirrorlists
-  template:
-    src: '{{ item }}'
-    dest: '/etc/yum.repos.d/{{ item }}'
-    owner: root
-    group: root
-    mode: 0644
-  with_items:
-    - epel-mirrorlist
-    - epel-testing-mirrorlist
-
 - name: Clean yum cache
   shell: yum clean all
   when: epel_repo is defined and epel_repo is changed

roles/common/tasks/rhel-entitlements.yml

@@ -50,6 +50,12 @@
   register: new_uuid
   when: use_satellite == true
 
+- name: Run dbus-uuidgen to create /var/lib/dbus/machine-id
+  shell: dbus-uuidgen --ensure
+
+- name: Run systemd-machine-id-setup to set /etc/machine-id
+  shell: systemd-machine-id-setup
+
 - name: Add new UUID to dmi_system_uuid.facts
   ansible.builtin.lineinfile:
     path: /etc/rhsm/facts/dmi_system_uuid.facts
@@ -120,7 +126,6 @@
   delay: 10
   failed_when:
     - entitled.rc != 0
-    - '"Beta" not in ansible_lsb.description'
 
 - name: Set rhsm_registered if we just registered
   set_fact:
@@ -137,29 +142,6 @@
   changed_when: false
   failed_when:
     - rhsm_release_list.rc != 0
-    - ansible_lsb.description is defined
-    - '"Beta" not in ansible_lsb.description'
-
-# We don't need to be registered to CDN since there's no packages available
-# for this Beta/Alpha/RC installation
-- name: Unregister Beta/Alpha/RC system with subscription-manager
-  command: subscription-manager unregister
-  when: ansible_distribution_version not in rhsm_release_list.stdout_lines
-  register: unregistered_beta_distro
-  until: unregistered_beta_distro is success
-  retries: 5
-  delay: 10
-
-# Setting rhsm_registered back to false allows the rest of the playbook
-# (except beta_repos.yml) to be skipped
-- name: Set rhsm_registered to false if Beta/Alpha/RC release
-  set_fact:
-    rhsm_registered: false
-  when: unregistered_beta_distro is not skipped
-
-- name: Run beta_repos.yml playbook for Beta/Alpha/RC release
-  import_tasks: beta_repos.yml
-  when: ansible_distribution_version not in rhsm_release_list.stdout_lines
 
 - name: Get list of enabled RHSM repos
   shell: subscription-manager repos --list | grep -B4 'Enabled:.*1' | grep 'Repo ID:' | sed -e 's/Repo ID:\s*\(.*\)/\1/' | sort
@@ -172,10 +154,10 @@
     repo_list: "{{ repo_list_cmd.stdout.split('\n') }}"
   when: repo_list_cmd is defined and repo_list_cmd is not skipped
 
-- name: Set replace_repos false if entitlements are missing or if we unregistered
+- name: Set replace_repos false if entitlements are missing
   set_fact:
     replace_repos: false
-  when: have_entitlements == false or unregistered_beta_distro is changed
+  when: have_entitlements == false
 
 - name: Set replace_repos true if rhsm_repos differs from repo_list
   set_fact:
@@ -202,6 +184,15 @@
   retries: 5
   delay: 10
 
+# recreate the removed machine-id files to avoid breaking
+# other parts of the system, /bin/install-kernel for instance
+
+- name: Run dbus-uuidgen to create /var/lib/dbus/machine-id
+  shell: dbus-uuidgen --ensure
+
+- name: Run systemd-machine-id-setup to set /etc/machine-id
+  shell: systemd-machine-id-setup
+
 - name: Remove old apt-mirror repository definition.
   file:
     path: /etc/yum.repos.d/cd.repo

roles/common/tasks/yum_systems.yml

@@ -65,7 +65,6 @@
 - import_tasks: rhel-entitlements.yml
   when:
     ansible_distribution == 'RedHat' and
-    beta_distro == false and
     skip_entitlements|default(false)|bool != true
   tags:
     - entitlements

roles/firmware/tasks/areca/main.yml

@@ -30,5 +30,5 @@
         (current_areca_version.stdout != latest_{{ areca_model_pretty }}_version)
 
 - name: Run Areca firmware update playbook
-  import_tasks: roles/firmware/tasks/areca/areca-update.yml
+  import_tasks: areca/areca-update.yml
   when: need_areca_update is defined and need_areca_update == true

roles/firmware/tasks/mira/bios.yml

@@ -10,5 +10,5 @@
   when: current_bios_version.stdout != latest_bios_version
 
 - name: Include BIOS update logic
-  import_tasks: roles/firmware/tasks/mira/bios-update.yml
+  import_tasks: mira/bios-update.yml
   when: need_bios_update is defined and need_bios_update == true

roles/firmware/tasks/mira/bmc.yml

@@ -23,5 +23,5 @@
   when: current_bmc_version.stdout != latest_bmc_version
 
 - name: Include BMC update logic
-  import_tasks: roles/firmware/tasks/mira/bmc-update.yml
+  import_tasks: mira/bmc-update.yml
   when: need_bmc_update is defined and need_bmc_update == true

roles/firmware/tasks/smithi/bmc.yml

@@ -23,5 +23,5 @@
   when: current_bmc_version.stdout != latest_bmc_version
 
 - name: Include BMC update logic
-  import_tasks: roles/firmware/tasks/smithi/bmc-update.yml
+  import_tasks: smithi/bmc-update.yml
   when: need_bmc_update is defined and need_bmc_update == true

roles/fog-server/tasks/main.yml

@@ -9,7 +9,7 @@
 
 - name: Ensure a path for FOG
   file:
-    path: "/home/{{ fog_user}}/fog"
+    path: "/home/{{ fog_user }}/fog"
     owner: "{{ fog_user }}"
     state: directory
 

roles/public_facing/tasks/letsencrypt_nginx.yml

@@ -16,7 +16,7 @@
     state: present
 
 # 'letsencrypt renew' fails because it can't reach the letsencrypt authority server using IPv6
-- name: Create cron entry to force IPv4 connectivity to letsencrypt authority server
+- name: Create cron entry to force IPv4 connectivity to letsencrypt authority server  # noqa no-tabs
   cron:
     name: "Forces letsencrypt to use IPv4 when accessing acme-v01.api.letsencrypt.org"
     hour: "0"

roles/rook/tasks/rook-recovery.yml

@@ -7,7 +7,6 @@
     group: "{{ security_group }}"
     instance_type: "{{ controller_instance_type }}"
     image: "{{ image }}"
-    wait: true
     region: "{{ region }}"
     vpc_subnet_id: "{{ vpc_subnet_id }}"
     assign_public_ip: yes

roles/testnode/tasks/cpan.yml

@@ -34,7 +34,7 @@
     mode: 0755
 
 - name: Ensure perl-doc and cpanminus is installed on apt systems.
-  apt: name={{item}} state=present
+  apt: name={{ item }} state=present
   with_items:
     - cpanminus
     - perl-doc

roles/testnode/tasks/ntp.yml

@@ -49,7 +49,7 @@
 
 - name: Make sure ntpd is running.
   service:
-    name: "{{ntp_service_name}}"
+    name: "{{ ntp_service_name }}"
     enabled: yes
     state: started
   # There's an issue with ansible<=2.9 and our custom built kernels (5.8 as of this commit) where the service and systemd modules don't have backwards compatibility with init scripts