From b09a3a6e5b36bac312cbd60a02fc8dd124854ec4 Mon Sep 17 00:00:00 2001 From: Prakhar Srivastava <31232641+prakhar1985@users.noreply.github.com> Date: Tue, 21 Apr 2026 15:36:42 +1000 Subject: [PATCH 01/10] fix: use workdir variable instead of ansible_env.HOME prefix Introduce ocp4_workload_rhoso_deployment_workdir computed from ansible_facts env HOME to avoid double-slash when an absolute path is used and to fix deprecation warnings. Replace all ansible_env.HOME references across task files with the new variable. --- .../defaults/main.yml | 5 +++++ .../tasks/control_plane.yml | 4 ++-- .../tasks/data_plane.yml | 14 +++++++------- .../tasks/install_operators.yml | 12 ++++++------ .../tasks/network_isolation.yml | 12 ++++++------ .../tasks/security.yml | 4 ++-- 6 files changed, 28 insertions(+), 23 deletions(-) diff --git a/roles/ocp4_workload_rhoso_deployment/defaults/main.yml b/roles/ocp4_workload_rhoso_deployment/defaults/main.yml index a0dac06..513a369 100644 --- a/roles/ocp4_workload_rhoso_deployment/defaults/main.yml +++ b/roles/ocp4_workload_rhoso_deployment/defaults/main.yml @@ -25,6 +25,11 @@ ocp4_workload_rhoso_deployment_bastion_ssh_public_key: "{{ bastion_ssh_pubkey_pa # ============================================================================ ocp4_workload_rhoso_deployment_files_directory: "openstack-files" +# Full working directory path on the bastion. +# Override this variable to use a custom absolute path. +# By default resolves to $HOME/openstack-files on the bastion host. +ocp4_workload_rhoso_deployment_workdir: "{{ ansible_facts['env']['HOME'] }}/{{ ocp4_workload_rhoso_deployment_files_directory }}" + # Manifest files shipped under roles/ocp4_workload_rhoso_deployment/files/ ocp4_workload_rhoso_deployment_content_files: - osp-ng-nncp-w1.yaml diff --git a/roles/ocp4_workload_rhoso_deployment/tasks/control_plane.yml b/roles/ocp4_workload_rhoso_deployment/tasks/control_plane.yml index 46c6feb..ac34e2f 100644 --- a/roles/ocp4_workload_rhoso_deployment/tasks/control_plane.yml +++ b/roles/ocp4_workload_rhoso_deployment/tasks/control_plane.yml @@ -1,7 +1,7 @@ --- - name: Read Cinder NFS configuration file ansible.builtin.slurp: - src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/nfs-cinder-conf" + src: "{{ ocp4_workload_rhoso_deployment_workdir }}/nfs-cinder-conf" register: _ocp4_workload_rhoso_deployment_nfs_cinder_conf delegate_to: bastion @@ -33,7 +33,7 @@ - name: Create OpenStack Control Plane kubernetes.core.k8s: state: present - src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-ctlplane-deploy.yaml" + src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-ctlplane-deploy.yaml" retries: 5 delay: 10 delegate_to: bastion diff --git a/roles/ocp4_workload_rhoso_deployment/tasks/data_plane.yml b/roles/ocp4_workload_rhoso_deployment/tasks/data_plane.yml index 7c2b748..465c33b 100644 --- a/roles/ocp4_workload_rhoso_deployment/tasks/data_plane.yml +++ b/roles/ocp4_workload_rhoso_deployment/tasks/data_plane.yml @@ -2,7 +2,7 @@ - name: Apply data plane network configuration kubernetes.core.k8s: state: present - src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-dataplane-netconfig.yaml" + src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-dataplane-netconfig.yaml" delegate_to: bastion - name: Set hostname for compute node @@ -90,7 +90,7 @@ - name: Generate nova migration SSH key pair community.crypto.openssh_keypair: - path: "{{ ansible_env.HOME }}/nova-migration-key" + path: "{{ ocp4_workload_rhoso_deployment_workdir }}/nova-migration-key" type: ecdsa size: 521 force: false @@ -101,8 +101,8 @@ src: "{{ item }}" register: _ocp4_workload_rhoso_deployment_nova_keys loop: - - "{{ ansible_env.HOME }}/nova-migration-key" - - "{{ ansible_env.HOME }}/nova-migration-key.pub" + - "{{ ocp4_workload_rhoso_deployment_workdir }}/nova-migration-key" + - "{{ ocp4_workload_rhoso_deployment_workdir }}/nova-migration-key.pub" delegate_to: bastion - name: Create nova migration SSH key secret @@ -193,7 +193,7 @@ - name: Apply data plane node set kubernetes.core.k8s: state: present - src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-dataplane-node-set-deploy.yaml" + src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-dataplane-node-set-deploy.yaml" retries: 5 delay: 10 delegate_to: bastion @@ -201,7 +201,7 @@ - name: Apply data plane deployment kubernetes.core.k8s: state: present - src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-dataplane-deployment.yaml" + src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-dataplane-deployment.yaml" retries: 5 delay: 10 delegate_to: bastion @@ -236,7 +236,7 @@ - name: Display Data Plane Deployment status ansible.builtin.debug: - msg: | + msg: |- === OpenStack Data Plane Deployment Status === Message: {{ _ocp4_workload_rhoso_deployment_dp_status.resources[0].status.get('message', 'No message') }} Conditions: {{ _ocp4_workload_rhoso_deployment_dp_status.resources[0].status.get('conditions', []) | map(attribute='type') | list }} diff --git a/roles/ocp4_workload_rhoso_deployment/tasks/install_operators.yml b/roles/ocp4_workload_rhoso_deployment/tasks/install_operators.yml index 53c0844..4796a74 100644 --- a/roles/ocp4_workload_rhoso_deployment/tasks/install_operators.yml +++ b/roles/ocp4_workload_rhoso_deployment/tasks/install_operators.yml @@ -1,7 +1,7 @@ --- - name: Create working directory for OpenStack files ansible.builtin.file: - path: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}" + path: "{{ ocp4_workload_rhoso_deployment_workdir }}" state: directory mode: "0755" delegate_to: bastion @@ -9,7 +9,7 @@ - name: Copy OpenStack configuration files to working directory ansible.builtin.copy: src: "{{ item }}" - dest: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/{{ item }}" + dest: "{{ ocp4_workload_rhoso_deployment_workdir }}/{{ item }}" mode: "0644" loop: "{{ ocp4_workload_rhoso_deployment_content_files }}" delegate_to: bastion @@ -32,7 +32,7 @@ - name: Replace UUID placeholder with guid in manifest files ansible.builtin.replace: - path: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/{{ item }}" + path: "{{ ocp4_workload_rhoso_deployment_workdir }}/{{ item }}" regexp: "UUID" replace: "{{ ocp4_workload_rhoso_deployment_guid }}" loop: "{{ ocp4_workload_rhoso_deployment_uuid_replacement_files }}" @@ -40,7 +40,7 @@ - name: Replace external IP placeholders for worker nodes ansible.builtin.replace: - path: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/{{ item.file }}" + path: "{{ ocp4_workload_rhoso_deployment_workdir }}/{{ item.file }}" regexp: "{{ item.placeholder }}" replace: "{{ item.value }}" loop: @@ -58,7 +58,7 @@ - name: Apply OpenStack operator OperatorGroup and Subscription kubernetes.core.k8s: state: present - src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-openstack-operator.yaml" + src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-openstack-operator.yaml" delegate_to: bastion - name: Wait for OpenStack operator install plan @@ -114,7 +114,7 @@ - name: Initialize the OpenStack operator kubernetes.core.k8s: state: present - src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-openstack-operator-init.yaml" + src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-openstack-operator-init.yaml" delegate_to: bastion - name: Wait for OpenStack operator to be ready diff --git a/roles/ocp4_workload_rhoso_deployment/tasks/network_isolation.yml b/roles/ocp4_workload_rhoso_deployment/tasks/network_isolation.yml index fc86b90..cbf5cd0 100644 --- a/roles/ocp4_workload_rhoso_deployment/tasks/network_isolation.yml +++ b/roles/ocp4_workload_rhoso_deployment/tasks/network_isolation.yml @@ -2,19 +2,19 @@ - name: Apply NodeNetworkConfigurationPolicy for worker node 1 kubernetes.core.k8s: state: present - src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-nncp-w1.yaml" + src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-nncp-w1.yaml" delegate_to: bastion - name: Apply NodeNetworkConfigurationPolicy for worker node 2 kubernetes.core.k8s: state: present - src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-nncp-w2.yaml" + src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-nncp-w2.yaml" delegate_to: bastion - name: Apply NodeNetworkConfigurationPolicy for worker node 3 kubernetes.core.k8s: state: present - src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-nncp-w3.yaml" + src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-nncp-w3.yaml" delegate_to: bastion - name: Wait for all NNCPs to be created @@ -55,7 +55,7 @@ - name: Apply NetworkAttachmentDefinitions for isolated networks kubernetes.core.k8s: state: present - src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-netattach.yaml" + src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-netattach.yaml" delegate_to: bastion - name: Wait for MetalLB additional CRDs @@ -75,7 +75,7 @@ - name: Apply MetalLB IP address pools kubernetes.core.k8s: state: present - src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-metal-lb-ip-address-pools.yaml" + src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-metal-lb-ip-address-pools.yaml" retries: 5 delay: 10 delegate_to: bastion @@ -83,7 +83,7 @@ - name: Apply MetalLB L2 advertisements kubernetes.core.k8s: state: present - src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-metal-lb-l2-advertisements.yaml" + src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-metal-lb-l2-advertisements.yaml" retries: 5 delay: 10 delegate_to: bastion diff --git a/roles/ocp4_workload_rhoso_deployment/tasks/security.yml b/roles/ocp4_workload_rhoso_deployment/tasks/security.yml index 24f3ff2..253e166 100644 --- a/roles/ocp4_workload_rhoso_deployment/tasks/security.yml +++ b/roles/ocp4_workload_rhoso_deployment/tasks/security.yml @@ -2,7 +2,7 @@ - name: Create OpenStack control plane secret kubernetes.core.k8s: state: present - src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-ctlplane-secret.yaml" + src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-ctlplane-secret.yaml" delegate_to: bastion - name: Verify osp-secret was created @@ -18,7 +18,7 @@ - name: Create libvirt secret kubernetes.core.k8s: state: present - src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-libvirt-secret.yaml" + src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-libvirt-secret.yaml" delegate_to: bastion - name: Verify libvirt-secret was created From 5551ed58d8eb09760daefa27ade4e5131883adc0 Mon Sep 17 00:00:00 2001 From: Prakhar Srivastava <31232641+prakhar1985@users.noreply.github.com> Date: Tue, 21 Apr 2026 17:04:28 +1000 Subject: [PATCH 02/10] fix: use /tmp/openstack-files as default workdir ansible_facts['env']['HOME'] resolves to the EE container HOME (/root), not the bastion connection user's home. Using /tmp avoids permission issues regardless of who the SSH connection user is on the bastion. --- roles/ocp4_workload_rhoso_deployment/defaults/main.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/ocp4_workload_rhoso_deployment/defaults/main.yml b/roles/ocp4_workload_rhoso_deployment/defaults/main.yml index 513a369..7ca7b2d 100644 --- a/roles/ocp4_workload_rhoso_deployment/defaults/main.yml +++ b/roles/ocp4_workload_rhoso_deployment/defaults/main.yml @@ -26,9 +26,10 @@ ocp4_workload_rhoso_deployment_bastion_ssh_public_key: "{{ bastion_ssh_pubkey_pa ocp4_workload_rhoso_deployment_files_directory: "openstack-files" # Full working directory path on the bastion. -# Override this variable to use a custom absolute path. -# By default resolves to $HOME/openstack-files on the bastion host. -ocp4_workload_rhoso_deployment_workdir: "{{ ansible_facts['env']['HOME'] }}/{{ ocp4_workload_rhoso_deployment_files_directory }}" +# Uses /tmp to ensure it is writable by any SSH connection user, +# regardless of whether the EE runs as root or a regular user. +# Override to use a different absolute path. +ocp4_workload_rhoso_deployment_workdir: "/tmp/{{ ocp4_workload_rhoso_deployment_files_directory }}" # Manifest files shipped under roles/ocp4_workload_rhoso_deployment/files/ ocp4_workload_rhoso_deployment_content_files: From 3bce01230a36f556dea3df1d5cea5928a36ccae1 Mon Sep 17 00:00:00 2001 From: Prakhar Srivastava <31232641+prakhar1985@users.noreply.github.com> Date: Tue, 21 Apr 2026 18:32:43 +1000 Subject: [PATCH 03/10] fix: use variables for nfs-server and compute01 inventory hostnames Hardcoded delegate_to: nfs-server and delegate_to: compute01 don't match the AgnosticD inventory which uses nfsserver and compute01 respectively. Add configurable hostname variables with correct defaults. --- .../defaults/main.yml | 6 ++++++ .../tasks/data_plane.yml | 12 ++++++------ .../tasks/nfs_server.yml | 14 +++++++------- 3 files changed, 19 insertions(+), 13 deletions(-) diff --git a/roles/ocp4_workload_rhoso_deployment/defaults/main.yml b/roles/ocp4_workload_rhoso_deployment/defaults/main.yml index 7ca7b2d..c757bc4 100644 --- a/roles/ocp4_workload_rhoso_deployment/defaults/main.yml +++ b/roles/ocp4_workload_rhoso_deployment/defaults/main.yml @@ -19,6 +19,12 @@ ocp4_workload_rhoso_deployment_guid: "{{ guid }}" ocp4_workload_rhoso_deployment_bastion_ssh_private_key: "{{ bastion_ssh_key_path | default('~/.ssh/bastion_' ~ guid) }}" ocp4_workload_rhoso_deployment_bastion_ssh_public_key: "{{ bastion_ssh_pubkey_path | default('~/.ssh/bastion_' ~ guid ~ '.pub') }}" +# ============================================================================ +# Inventory hostnames — override if your inventory uses different names +# ============================================================================ +ocp4_workload_rhoso_deployment_nfs_host: "nfsserver" +ocp4_workload_rhoso_deployment_compute_host: "compute01" + # ============================================================================ # Content files — OpenStack YAML manifests shipped in the role's files/ dir. # The role copies these to a working directory on the bastion, then applies them. diff --git a/roles/ocp4_workload_rhoso_deployment/tasks/data_plane.yml b/roles/ocp4_workload_rhoso_deployment/tasks/data_plane.yml index 465c33b..92275a4 100644 --- a/roles/ocp4_workload_rhoso_deployment/tasks/data_plane.yml +++ b/roles/ocp4_workload_rhoso_deployment/tasks/data_plane.yml @@ -8,7 +8,7 @@ - name: Set hostname for compute node ansible.builtin.hostname: name: "{{ ocp4_workload_rhoso_deployment_compute_nodes[0].hostname }}" - delegate_to: compute01 + delegate_to: "{{ ocp4_workload_rhoso_deployment_compute_host }}" become: true - name: Configure static eth1 interface for control plane @@ -17,7 +17,7 @@ nmcli con add con-name "static-eth1" ifname eth1 type ethernet ip4 {{ ocp4_workload_rhoso_deployment_compute_nodes[0].ctlplane_ip }}/24 ipv4.dns "172.22.0.89" - delegate_to: compute01 + delegate_to: "{{ ocp4_workload_rhoso_deployment_compute_host }}" become: true register: _ocp4_workload_rhoso_deployment_compute_eth1 changed_when: >- @@ -30,7 +30,7 @@ - name: Activate static-eth1 connection on compute ansible.builtin.command: cmd: nmcli con up "static-eth1" - delegate_to: compute01 + delegate_to: "{{ ocp4_workload_rhoso_deployment_compute_host }}" become: true changed_when: true @@ -39,7 +39,7 @@ cmd: >- nmcli con add con-name "eth0-dhcp" ifname eth0 type ethernet ipv4.method auto ipv6.method ignore - delegate_to: compute01 + delegate_to: "{{ ocp4_workload_rhoso_deployment_compute_host }}" become: true register: _ocp4_workload_rhoso_deployment_compute_eth0 changed_when: >- @@ -52,14 +52,14 @@ - name: Activate eth0-dhcp connection on compute ansible.builtin.command: cmd: nmcli con up "eth0-dhcp" - delegate_to: compute01 + delegate_to: "{{ ocp4_workload_rhoso_deployment_compute_host }}" become: true changed_when: true - name: Set stable ID for eth0 connection on compute ansible.builtin.command: cmd: nmcli con mod eth0-dhcp connection.stable-id user-set - delegate_to: compute01 + delegate_to: "{{ ocp4_workload_rhoso_deployment_compute_host }}" become: true changed_when: true diff --git a/roles/ocp4_workload_rhoso_deployment/tasks/nfs_server.yml b/roles/ocp4_workload_rhoso_deployment/tasks/nfs_server.yml index e5e6872..0f9cf4e 100644 --- a/roles/ocp4_workload_rhoso_deployment/tasks/nfs_server.yml +++ b/roles/ocp4_workload_rhoso_deployment/tasks/nfs_server.yml @@ -9,7 +9,7 @@ {{ ocp4_workload_rhoso_deployment_nfs_cinder_path }} {{ ocp4_workload_rhoso_deployment_nfs_glance_path }} {{ ocp4_workload_rhoso_deployment_nfs_aap_path }} - delegate_to: nfs-server + delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" become: true changed_when: true @@ -20,7 +20,7 @@ {{ ocp4_workload_rhoso_deployment_nfs_glance_path }} *(rw,sync,no_root_squash) {{ ocp4_workload_rhoso_deployment_nfs_aap_path }} *(rw,sync,no_root_squash) EXPORTS - delegate_to: nfs-server + delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" become: true changed_when: true notify: Restart nfs-server @@ -30,31 +30,31 @@ nmcli con show "static-eth1" 2>/dev/null || nmcli con add con-name "static-eth1" ifname eth1 type ethernet ip4 {{ ocp4_workload_rhoso_deployment_nfs_server_ip }}/24 - delegate_to: nfs-server + delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" become: true changed_when: true - name: Activate static network connection on NFS server ansible.builtin.raw: nmcli con up "static-eth1" - delegate_to: nfs-server + delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" become: true changed_when: true - name: Start and enable NFS server ansible.builtin.raw: systemctl enable --now nfs-server - delegate_to: nfs-server + delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" become: true changed_when: true - name: Export NFS shares ansible.builtin.raw: exportfs -ra - delegate_to: nfs-server + delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" become: true changed_when: true - name: Verify NFS exports ansible.builtin.raw: exportfs -v - delegate_to: nfs-server + delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" become: true register: _ocp4_workload_rhoso_deployment_nfs_exports changed_when: false From a3dc2e59e24bcc18dbcb603c2f76aa6dd0a1b19f Mon Sep 17 00:00:00 2001 From: Prakhar Srivastava <31232641+prakhar1985@users.noreply.github.com> Date: Tue, 21 Apr 2026 18:36:27 +1000 Subject: [PATCH 04/10] fix: handler hostname variable, remove_workload workdir, community.crypto dep - handlers/main.yml: use nfs_host variable instead of hardcoded nfs-server - remove_workload.yml: use workdir variable instead of ansible_env.HOME - galaxy.yml: add community.crypto dependency (used by openssh_keypair in data_plane) --- galaxy.yml | 3 ++- roles/ocp4_workload_rhoso_deployment/handlers/main.yml | 2 +- roles/ocp4_workload_rhoso_deployment/tasks/remove_workload.yml | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/galaxy.yml b/galaxy.yml index 3bc8832..f21fbd3 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -24,10 +24,11 @@ tags: dependencies: ansible.posix: ">=1.0.0" + community.crypto: ">=2.0.0" repository: https://github.com/agnosticd/osp-on-ocp documentation: https://github.com/agnosticd/osp-on-ocp homepage: https://github.com/agnosticd/osp-on-ocp issues: https://github.com/agnosticd/osp-on-ocp/issues -build_ignore: [] \ No newline at end of file +build_ignore: [] diff --git a/roles/ocp4_workload_rhoso_deployment/handlers/main.yml b/roles/ocp4_workload_rhoso_deployment/handlers/main.yml index e0ed1cc..d0e4ecf 100644 --- a/roles/ocp4_workload_rhoso_deployment/handlers/main.yml +++ b/roles/ocp4_workload_rhoso_deployment/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: Restart nfs-server ansible.builtin.raw: systemctl restart nfs-server - delegate_to: nfs-server + delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" become: true diff --git a/roles/ocp4_workload_rhoso_deployment/tasks/remove_workload.yml b/roles/ocp4_workload_rhoso_deployment/tasks/remove_workload.yml index fcc2669..1163b97 100644 --- a/roles/ocp4_workload_rhoso_deployment/tasks/remove_workload.yml +++ b/roles/ocp4_workload_rhoso_deployment/tasks/remove_workload.yml @@ -101,7 +101,7 @@ - name: Clean up working directory on bastion ansible.builtin.file: - path: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}" + path: "{{ ocp4_workload_rhoso_deployment_workdir }}" state: absent delegate_to: bastion From 98632206f89a8f9e0c3023a6bf6ca9407ea01195 Mon Sep 17 00:00:00 2001 From: Prakhar Srivastava <31232641+prakhar1985@users.noreply.github.com> Date: Tue, 21 Apr 2026 20:03:12 +1000 Subject: [PATCH 05/10] fix: run nfs_server tasks via bastion SSH instead of direct delegation The EE container cannot resolve nfsserver hostname (cluster-internal DNS). Route all nfs commands through the bastion which has cluster DNS and direct network access to the nfsserver VM. Add nfs_ssh_user and nfs_ssh_key vars. --- .../defaults/main.yml | 6 + .../handlers/main.yml | 8 +- .../tasks/nfs_server.yml | 105 +++++++++++------- 3 files changed, 78 insertions(+), 41 deletions(-) diff --git a/roles/ocp4_workload_rhoso_deployment/defaults/main.yml b/roles/ocp4_workload_rhoso_deployment/defaults/main.yml index c757bc4..c507d3a 100644 --- a/roles/ocp4_workload_rhoso_deployment/defaults/main.yml +++ b/roles/ocp4_workload_rhoso_deployment/defaults/main.yml @@ -25,6 +25,12 @@ ocp4_workload_rhoso_deployment_bastion_ssh_public_key: "{{ bastion_ssh_pubkey_pa ocp4_workload_rhoso_deployment_nfs_host: "nfsserver" ocp4_workload_rhoso_deployment_compute_host: "compute01" +# NFS server SSH access from the bastion +# The EE cannot resolve cluster-internal hostnames directly; +# all NFS tasks are proxied through the bastion. +ocp4_workload_rhoso_deployment_nfs_ssh_user: "cloud-user" +ocp4_workload_rhoso_deployment_nfs_ssh_key: "~/.ssh/{{ ocp4_workload_rhoso_deployment_guid }}key.pem" + # ============================================================================ # Content files — OpenStack YAML manifests shipped in the role's files/ dir. # The role copies these to a working directory on the bastion, then applies them. diff --git a/roles/ocp4_workload_rhoso_deployment/handlers/main.yml b/roles/ocp4_workload_rhoso_deployment/handlers/main.yml index d0e4ecf..e27fe1e 100644 --- a/roles/ocp4_workload_rhoso_deployment/handlers/main.yml +++ b/roles/ocp4_workload_rhoso_deployment/handlers/main.yml @@ -1,5 +1,7 @@ --- +# Handler is a no-op since NFS restart is now handled inline in nfs_server.yml +# via SSH through the bastion. Kept for backwards compatibility. - name: Restart nfs-server - ansible.builtin.raw: systemctl restart nfs-server - delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" - become: true + ansible.builtin.debug: + msg: "NFS server restart handled inline via bastion SSH." + delegate_to: bastion diff --git a/roles/ocp4_workload_rhoso_deployment/tasks/nfs_server.yml b/roles/ocp4_workload_rhoso_deployment/tasks/nfs_server.yml index 0f9cf4e..7019887 100644 --- a/roles/ocp4_workload_rhoso_deployment/tasks/nfs_server.yml +++ b/roles/ocp4_workload_rhoso_deployment/tasks/nfs_server.yml @@ -1,61 +1,90 @@ --- +# All NFS tasks run via the bastion (delegate_to: bastion + ssh to nfsserver) +# because the EE container cannot resolve cluster-internal hostnames. +# The bastion has cluster DNS and direct network access to the nfsserver VM. + - name: Create NFS directories - ansible.builtin.raw: >- - mkdir -p - {{ ocp4_workload_rhoso_deployment_nfs_cinder_path }} - {{ ocp4_workload_rhoso_deployment_nfs_glance_path }} - {{ ocp4_workload_rhoso_deployment_nfs_aap_path }} - && chmod 0777 - {{ ocp4_workload_rhoso_deployment_nfs_cinder_path }} - {{ ocp4_workload_rhoso_deployment_nfs_glance_path }} - {{ ocp4_workload_rhoso_deployment_nfs_aap_path }} - delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" - become: true + ansible.builtin.command: + cmd: >- + ssh -i {{ ocp4_workload_rhoso_deployment_nfs_ssh_key }} + -o StrictHostKeyChecking=no + {{ ocp4_workload_rhoso_deployment_nfs_ssh_user }}@{{ ocp4_workload_rhoso_deployment_nfs_host }} + "sudo mkdir -p + {{ ocp4_workload_rhoso_deployment_nfs_cinder_path }} + {{ ocp4_workload_rhoso_deployment_nfs_glance_path }} + {{ ocp4_workload_rhoso_deployment_nfs_aap_path }} + && sudo chmod 0777 + {{ ocp4_workload_rhoso_deployment_nfs_cinder_path }} + {{ ocp4_workload_rhoso_deployment_nfs_glance_path }} + {{ ocp4_workload_rhoso_deployment_nfs_aap_path }}" + delegate_to: bastion changed_when: true - name: Configure NFS exports - ansible.builtin.raw: | - cat > /etc/exports << 'EXPORTS' - {{ ocp4_workload_rhoso_deployment_nfs_cinder_path }} *(rw,sync,no_root_squash) - {{ ocp4_workload_rhoso_deployment_nfs_glance_path }} *(rw,sync,no_root_squash) - {{ ocp4_workload_rhoso_deployment_nfs_aap_path }} *(rw,sync,no_root_squash) - EXPORTS - delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" - become: true + ansible.builtin.shell: + cmd: | + ssh -i {{ ocp4_workload_rhoso_deployment_nfs_ssh_key }} \ + -o StrictHostKeyChecking=no \ + {{ ocp4_workload_rhoso_deployment_nfs_ssh_user }}@{{ ocp4_workload_rhoso_deployment_nfs_host }} \ + "sudo tee /etc/exports > /dev/null << 'EXPORTS' + {{ ocp4_workload_rhoso_deployment_nfs_cinder_path }} *(rw,sync,no_root_squash) + {{ ocp4_workload_rhoso_deployment_nfs_glance_path }} *(rw,sync,no_root_squash) + {{ ocp4_workload_rhoso_deployment_nfs_aap_path }} *(rw,sync,no_root_squash) + EXPORTS + && sudo systemctl restart nfs-server" + delegate_to: bastion changed_when: true - notify: Restart nfs-server - name: Configure static network interface on NFS server - ansible.builtin.raw: >- - nmcli con show "static-eth1" 2>/dev/null || - nmcli con add con-name "static-eth1" ifname eth1 - type ethernet ip4 {{ ocp4_workload_rhoso_deployment_nfs_server_ip }}/24 - delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" - become: true + ansible.builtin.command: + cmd: >- + ssh -i {{ ocp4_workload_rhoso_deployment_nfs_ssh_key }} + -o StrictHostKeyChecking=no + {{ ocp4_workload_rhoso_deployment_nfs_ssh_user }}@{{ ocp4_workload_rhoso_deployment_nfs_host }} + "sudo nmcli con show 'static-eth1' 2>/dev/null || + sudo nmcli con add con-name 'static-eth1' ifname eth1 + type ethernet ip4 {{ ocp4_workload_rhoso_deployment_nfs_server_ip }}/24" + delegate_to: bastion changed_when: true - name: Activate static network connection on NFS server - ansible.builtin.raw: nmcli con up "static-eth1" - delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" - become: true + ansible.builtin.command: + cmd: >- + ssh -i {{ ocp4_workload_rhoso_deployment_nfs_ssh_key }} + -o StrictHostKeyChecking=no + {{ ocp4_workload_rhoso_deployment_nfs_ssh_user }}@{{ ocp4_workload_rhoso_deployment_nfs_host }} + "sudo nmcli con up 'static-eth1'" + delegate_to: bastion changed_when: true - name: Start and enable NFS server - ansible.builtin.raw: systemctl enable --now nfs-server - delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" - become: true + ansible.builtin.command: + cmd: >- + ssh -i {{ ocp4_workload_rhoso_deployment_nfs_ssh_key }} + -o StrictHostKeyChecking=no + {{ ocp4_workload_rhoso_deployment_nfs_ssh_user }}@{{ ocp4_workload_rhoso_deployment_nfs_host }} + "sudo systemctl enable --now nfs-server" + delegate_to: bastion changed_when: true - name: Export NFS shares - ansible.builtin.raw: exportfs -ra - delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" - become: true + ansible.builtin.command: + cmd: >- + ssh -i {{ ocp4_workload_rhoso_deployment_nfs_ssh_key }} + -o StrictHostKeyChecking=no + {{ ocp4_workload_rhoso_deployment_nfs_ssh_user }}@{{ ocp4_workload_rhoso_deployment_nfs_host }} + "sudo exportfs -ra" + delegate_to: bastion changed_when: true - name: Verify NFS exports - ansible.builtin.raw: exportfs -v - delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" - become: true + ansible.builtin.command: + cmd: >- + ssh -i {{ ocp4_workload_rhoso_deployment_nfs_ssh_key }} + -o StrictHostKeyChecking=no + {{ ocp4_workload_rhoso_deployment_nfs_ssh_user }}@{{ ocp4_workload_rhoso_deployment_nfs_host }} + "sudo exportfs -v" + delegate_to: bastion register: _ocp4_workload_rhoso_deployment_nfs_exports changed_when: false From 012f89546fe8749c24c89124e119ec0a73a05a52 Mon Sep 17 00:00:00 2001 From: Prakhar Srivastava <31232641+prakhar1985@users.noreply.github.com> Date: Tue, 21 Apr 2026 20:05:44 +1000 Subject: [PATCH 06/10] fix: route compute01 tasks through bastion SSH (same as nfsserver fix) compute01 is also a cluster-internal VM unreachable by hostname from the EE. Proxy all compute01 tasks through the bastion using the cluster SSH key. --- .../defaults/main.yml | 6 +- .../tasks/data_plane.yml | 64 ++++++++++++------- 2 files changed, 46 insertions(+), 24 deletions(-) diff --git a/roles/ocp4_workload_rhoso_deployment/defaults/main.yml b/roles/ocp4_workload_rhoso_deployment/defaults/main.yml index c507d3a..6bd7c39 100644 --- a/roles/ocp4_workload_rhoso_deployment/defaults/main.yml +++ b/roles/ocp4_workload_rhoso_deployment/defaults/main.yml @@ -25,11 +25,13 @@ ocp4_workload_rhoso_deployment_bastion_ssh_public_key: "{{ bastion_ssh_pubkey_pa ocp4_workload_rhoso_deployment_nfs_host: "nfsserver" ocp4_workload_rhoso_deployment_compute_host: "compute01" -# NFS server SSH access from the bastion +# SSH access from the bastion to cluster-internal VMs. # The EE cannot resolve cluster-internal hostnames directly; -# all NFS tasks are proxied through the bastion. +# all VM tasks are proxied through the bastion. ocp4_workload_rhoso_deployment_nfs_ssh_user: "cloud-user" ocp4_workload_rhoso_deployment_nfs_ssh_key: "~/.ssh/{{ ocp4_workload_rhoso_deployment_guid }}key.pem" +ocp4_workload_rhoso_deployment_compute_ssh_user: "cloud-user" +ocp4_workload_rhoso_deployment_compute_ssh_key: "~/.ssh/{{ ocp4_workload_rhoso_deployment_guid }}key.pem" # ============================================================================ # Content files — OpenStack YAML manifests shipped in the role's files/ dir. diff --git a/roles/ocp4_workload_rhoso_deployment/tasks/data_plane.yml b/roles/ocp4_workload_rhoso_deployment/tasks/data_plane.yml index 92275a4..deb0430 100644 --- a/roles/ocp4_workload_rhoso_deployment/tasks/data_plane.yml +++ b/roles/ocp4_workload_rhoso_deployment/tasks/data_plane.yml @@ -5,20 +5,29 @@ src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-dataplane-netconfig.yaml" delegate_to: bastion +# compute01 tasks are proxied through the bastion (same pattern as nfsserver) +# because the EE cannot resolve cluster-internal hostnames directly. + - name: Set hostname for compute node - ansible.builtin.hostname: - name: "{{ ocp4_workload_rhoso_deployment_compute_nodes[0].hostname }}" - delegate_to: "{{ ocp4_workload_rhoso_deployment_compute_host }}" - become: true + ansible.builtin.command: + cmd: >- + ssh -i {{ ocp4_workload_rhoso_deployment_compute_ssh_key }} + -o StrictHostKeyChecking=no + {{ ocp4_workload_rhoso_deployment_compute_ssh_user }}@{{ ocp4_workload_rhoso_deployment_compute_host }} + "sudo hostnamectl set-hostname {{ ocp4_workload_rhoso_deployment_compute_nodes[0].hostname }}" + delegate_to: bastion + changed_when: true - name: Configure static eth1 interface for control plane ansible.builtin.command: cmd: >- - nmcli con add con-name "static-eth1" ifname eth1 - type ethernet ip4 {{ ocp4_workload_rhoso_deployment_compute_nodes[0].ctlplane_ip }}/24 - ipv4.dns "172.22.0.89" - delegate_to: "{{ ocp4_workload_rhoso_deployment_compute_host }}" - become: true + ssh -i {{ ocp4_workload_rhoso_deployment_compute_ssh_key }} + -o StrictHostKeyChecking=no + {{ ocp4_workload_rhoso_deployment_compute_ssh_user }}@{{ ocp4_workload_rhoso_deployment_compute_host }} + "sudo nmcli con add con-name 'static-eth1' ifname eth1 + type ethernet ip4 {{ ocp4_workload_rhoso_deployment_compute_nodes[0].ctlplane_ip }}/24 + ipv4.dns '172.22.0.89'" + delegate_to: bastion register: _ocp4_workload_rhoso_deployment_compute_eth1 changed_when: >- 'Connection successfully added' in @@ -29,18 +38,23 @@ - name: Activate static-eth1 connection on compute ansible.builtin.command: - cmd: nmcli con up "static-eth1" - delegate_to: "{{ ocp4_workload_rhoso_deployment_compute_host }}" - become: true + cmd: >- + ssh -i {{ ocp4_workload_rhoso_deployment_compute_ssh_key }} + -o StrictHostKeyChecking=no + {{ ocp4_workload_rhoso_deployment_compute_ssh_user }}@{{ ocp4_workload_rhoso_deployment_compute_host }} + "sudo nmcli con up 'static-eth1'" + delegate_to: bastion changed_when: true - name: Configure eth0 DHCP connection on compute ansible.builtin.command: cmd: >- - nmcli con add con-name "eth0-dhcp" ifname eth0 - type ethernet ipv4.method auto ipv6.method ignore - delegate_to: "{{ ocp4_workload_rhoso_deployment_compute_host }}" - become: true + ssh -i {{ ocp4_workload_rhoso_deployment_compute_ssh_key }} + -o StrictHostKeyChecking=no + {{ ocp4_workload_rhoso_deployment_compute_ssh_user }}@{{ ocp4_workload_rhoso_deployment_compute_host }} + "sudo nmcli con add con-name 'eth0-dhcp' ifname eth0 + type ethernet ipv4.method auto ipv6.method ignore" + delegate_to: bastion register: _ocp4_workload_rhoso_deployment_compute_eth0 changed_when: >- 'Connection successfully added' in @@ -51,16 +65,22 @@ - name: Activate eth0-dhcp connection on compute ansible.builtin.command: - cmd: nmcli con up "eth0-dhcp" - delegate_to: "{{ ocp4_workload_rhoso_deployment_compute_host }}" - become: true + cmd: >- + ssh -i {{ ocp4_workload_rhoso_deployment_compute_ssh_key }} + -o StrictHostKeyChecking=no + {{ ocp4_workload_rhoso_deployment_compute_ssh_user }}@{{ ocp4_workload_rhoso_deployment_compute_host }} + "sudo nmcli con up 'eth0-dhcp'" + delegate_to: bastion changed_when: true - name: Set stable ID for eth0 connection on compute ansible.builtin.command: - cmd: nmcli con mod eth0-dhcp connection.stable-id user-set - delegate_to: "{{ ocp4_workload_rhoso_deployment_compute_host }}" - become: true + cmd: >- + ssh -i {{ ocp4_workload_rhoso_deployment_compute_ssh_key }} + -o StrictHostKeyChecking=no + {{ ocp4_workload_rhoso_deployment_compute_ssh_user }}@{{ ocp4_workload_rhoso_deployment_compute_host }} + "sudo nmcli con mod eth0-dhcp connection.stable-id user-set" + delegate_to: bastion changed_when: true - name: Read SSH key files From cd4a08499b98bf1bdf9f8baca2183eb216194882 Mon Sep 17 00:00:00 2001 From: Prakhar Srivastava <31232641+prakhar1985@users.noreply.github.com> Date: Tue, 21 Apr 2026 20:12:33 +1000 Subject: [PATCH 07/10] fix: resolve cluster VM IPs via bastion and update inventory with add_host AgnosticD sets ansible_host to the VM short name (e.g. nfsserver) which resolves inside the cluster but not from the EE container. Use add_host to resolve the IP via bastion DNS and update ansible_host + ProxyJump so delegate_to works natively without SSH command hacks. --- .../handlers/main.yml | 8 +- .../tasks/data_plane.yml | 64 ++++------- .../tasks/nfs_server.yml | 105 +++++++----------- .../tasks/setup_hosts.yml | 38 +++++++ .../tasks/workload.yml | 3 + 5 files changed, 104 insertions(+), 114 deletions(-) create mode 100644 roles/ocp4_workload_rhoso_deployment/tasks/setup_hosts.yml diff --git a/roles/ocp4_workload_rhoso_deployment/handlers/main.yml b/roles/ocp4_workload_rhoso_deployment/handlers/main.yml index e27fe1e..d0e4ecf 100644 --- a/roles/ocp4_workload_rhoso_deployment/handlers/main.yml +++ b/roles/ocp4_workload_rhoso_deployment/handlers/main.yml @@ -1,7 +1,5 @@ --- -# Handler is a no-op since NFS restart is now handled inline in nfs_server.yml -# via SSH through the bastion. Kept for backwards compatibility. - name: Restart nfs-server - ansible.builtin.debug: - msg: "NFS server restart handled inline via bastion SSH." - delegate_to: bastion + ansible.builtin.raw: systemctl restart nfs-server + delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" + become: true diff --git a/roles/ocp4_workload_rhoso_deployment/tasks/data_plane.yml b/roles/ocp4_workload_rhoso_deployment/tasks/data_plane.yml index deb0430..92275a4 100644 --- a/roles/ocp4_workload_rhoso_deployment/tasks/data_plane.yml +++ b/roles/ocp4_workload_rhoso_deployment/tasks/data_plane.yml @@ -5,29 +5,20 @@ src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-dataplane-netconfig.yaml" delegate_to: bastion -# compute01 tasks are proxied through the bastion (same pattern as nfsserver) -# because the EE cannot resolve cluster-internal hostnames directly. - - name: Set hostname for compute node - ansible.builtin.command: - cmd: >- - ssh -i {{ ocp4_workload_rhoso_deployment_compute_ssh_key }} - -o StrictHostKeyChecking=no - {{ ocp4_workload_rhoso_deployment_compute_ssh_user }}@{{ ocp4_workload_rhoso_deployment_compute_host }} - "sudo hostnamectl set-hostname {{ ocp4_workload_rhoso_deployment_compute_nodes[0].hostname }}" - delegate_to: bastion - changed_when: true + ansible.builtin.hostname: + name: "{{ ocp4_workload_rhoso_deployment_compute_nodes[0].hostname }}" + delegate_to: "{{ ocp4_workload_rhoso_deployment_compute_host }}" + become: true - name: Configure static eth1 interface for control plane ansible.builtin.command: cmd: >- - ssh -i {{ ocp4_workload_rhoso_deployment_compute_ssh_key }} - -o StrictHostKeyChecking=no - {{ ocp4_workload_rhoso_deployment_compute_ssh_user }}@{{ ocp4_workload_rhoso_deployment_compute_host }} - "sudo nmcli con add con-name 'static-eth1' ifname eth1 - type ethernet ip4 {{ ocp4_workload_rhoso_deployment_compute_nodes[0].ctlplane_ip }}/24 - ipv4.dns '172.22.0.89'" - delegate_to: bastion + nmcli con add con-name "static-eth1" ifname eth1 + type ethernet ip4 {{ ocp4_workload_rhoso_deployment_compute_nodes[0].ctlplane_ip }}/24 + ipv4.dns "172.22.0.89" + delegate_to: "{{ ocp4_workload_rhoso_deployment_compute_host }}" + become: true register: _ocp4_workload_rhoso_deployment_compute_eth1 changed_when: >- 'Connection successfully added' in @@ -38,23 +29,18 @@ - name: Activate static-eth1 connection on compute ansible.builtin.command: - cmd: >- - ssh -i {{ ocp4_workload_rhoso_deployment_compute_ssh_key }} - -o StrictHostKeyChecking=no - {{ ocp4_workload_rhoso_deployment_compute_ssh_user }}@{{ ocp4_workload_rhoso_deployment_compute_host }} - "sudo nmcli con up 'static-eth1'" - delegate_to: bastion + cmd: nmcli con up "static-eth1" + delegate_to: "{{ ocp4_workload_rhoso_deployment_compute_host }}" + become: true changed_when: true - name: Configure eth0 DHCP connection on compute ansible.builtin.command: cmd: >- - ssh -i {{ ocp4_workload_rhoso_deployment_compute_ssh_key }} - -o StrictHostKeyChecking=no - {{ ocp4_workload_rhoso_deployment_compute_ssh_user }}@{{ ocp4_workload_rhoso_deployment_compute_host }} - "sudo nmcli con add con-name 'eth0-dhcp' ifname eth0 - type ethernet ipv4.method auto ipv6.method ignore" - delegate_to: bastion + nmcli con add con-name "eth0-dhcp" ifname eth0 + type ethernet ipv4.method auto ipv6.method ignore + delegate_to: "{{ ocp4_workload_rhoso_deployment_compute_host }}" + become: true register: _ocp4_workload_rhoso_deployment_compute_eth0 changed_when: >- 'Connection successfully added' in @@ -65,22 +51,16 @@ - name: Activate eth0-dhcp connection on compute ansible.builtin.command: - cmd: >- - ssh -i {{ ocp4_workload_rhoso_deployment_compute_ssh_key }} - -o StrictHostKeyChecking=no - {{ ocp4_workload_rhoso_deployment_compute_ssh_user }}@{{ ocp4_workload_rhoso_deployment_compute_host }} - "sudo nmcli con up 'eth0-dhcp'" - delegate_to: bastion + cmd: nmcli con up "eth0-dhcp" + delegate_to: "{{ ocp4_workload_rhoso_deployment_compute_host }}" + become: true changed_when: true - name: Set stable ID for eth0 connection on compute ansible.builtin.command: - cmd: >- - ssh -i {{ ocp4_workload_rhoso_deployment_compute_ssh_key }} - -o StrictHostKeyChecking=no - {{ ocp4_workload_rhoso_deployment_compute_ssh_user }}@{{ ocp4_workload_rhoso_deployment_compute_host }} - "sudo nmcli con mod eth0-dhcp connection.stable-id user-set" - delegate_to: bastion + cmd: nmcli con mod eth0-dhcp connection.stable-id user-set + delegate_to: "{{ ocp4_workload_rhoso_deployment_compute_host }}" + become: true changed_when: true - name: Read SSH key files diff --git a/roles/ocp4_workload_rhoso_deployment/tasks/nfs_server.yml b/roles/ocp4_workload_rhoso_deployment/tasks/nfs_server.yml index 7019887..0f9cf4e 100644 --- a/roles/ocp4_workload_rhoso_deployment/tasks/nfs_server.yml +++ b/roles/ocp4_workload_rhoso_deployment/tasks/nfs_server.yml @@ -1,90 +1,61 @@ --- -# All NFS tasks run via the bastion (delegate_to: bastion + ssh to nfsserver) -# because the EE container cannot resolve cluster-internal hostnames. -# The bastion has cluster DNS and direct network access to the nfsserver VM. - - name: Create NFS directories - ansible.builtin.command: - cmd: >- - ssh -i {{ ocp4_workload_rhoso_deployment_nfs_ssh_key }} - -o StrictHostKeyChecking=no - {{ ocp4_workload_rhoso_deployment_nfs_ssh_user }}@{{ ocp4_workload_rhoso_deployment_nfs_host }} - "sudo mkdir -p - {{ ocp4_workload_rhoso_deployment_nfs_cinder_path }} - {{ ocp4_workload_rhoso_deployment_nfs_glance_path }} - {{ ocp4_workload_rhoso_deployment_nfs_aap_path }} - && sudo chmod 0777 - {{ ocp4_workload_rhoso_deployment_nfs_cinder_path }} - {{ ocp4_workload_rhoso_deployment_nfs_glance_path }} - {{ ocp4_workload_rhoso_deployment_nfs_aap_path }}" - delegate_to: bastion + ansible.builtin.raw: >- + mkdir -p + {{ ocp4_workload_rhoso_deployment_nfs_cinder_path }} + {{ ocp4_workload_rhoso_deployment_nfs_glance_path }} + {{ ocp4_workload_rhoso_deployment_nfs_aap_path }} + && chmod 0777 + {{ ocp4_workload_rhoso_deployment_nfs_cinder_path }} + {{ ocp4_workload_rhoso_deployment_nfs_glance_path }} + {{ ocp4_workload_rhoso_deployment_nfs_aap_path }} + delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" + become: true changed_when: true - name: Configure NFS exports - ansible.builtin.shell: - cmd: | - ssh -i {{ ocp4_workload_rhoso_deployment_nfs_ssh_key }} \ - -o StrictHostKeyChecking=no \ - {{ ocp4_workload_rhoso_deployment_nfs_ssh_user }}@{{ ocp4_workload_rhoso_deployment_nfs_host }} \ - "sudo tee /etc/exports > /dev/null << 'EXPORTS' - {{ ocp4_workload_rhoso_deployment_nfs_cinder_path }} *(rw,sync,no_root_squash) - {{ ocp4_workload_rhoso_deployment_nfs_glance_path }} *(rw,sync,no_root_squash) - {{ ocp4_workload_rhoso_deployment_nfs_aap_path }} *(rw,sync,no_root_squash) - EXPORTS - && sudo systemctl restart nfs-server" - delegate_to: bastion + ansible.builtin.raw: | + cat > /etc/exports << 'EXPORTS' + {{ ocp4_workload_rhoso_deployment_nfs_cinder_path }} *(rw,sync,no_root_squash) + {{ ocp4_workload_rhoso_deployment_nfs_glance_path }} *(rw,sync,no_root_squash) + {{ ocp4_workload_rhoso_deployment_nfs_aap_path }} *(rw,sync,no_root_squash) + EXPORTS + delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" + become: true changed_when: true + notify: Restart nfs-server - name: Configure static network interface on NFS server - ansible.builtin.command: - cmd: >- - ssh -i {{ ocp4_workload_rhoso_deployment_nfs_ssh_key }} - -o StrictHostKeyChecking=no - {{ ocp4_workload_rhoso_deployment_nfs_ssh_user }}@{{ ocp4_workload_rhoso_deployment_nfs_host }} - "sudo nmcli con show 'static-eth1' 2>/dev/null || - sudo nmcli con add con-name 'static-eth1' ifname eth1 - type ethernet ip4 {{ ocp4_workload_rhoso_deployment_nfs_server_ip }}/24" - delegate_to: bastion + ansible.builtin.raw: >- + nmcli con show "static-eth1" 2>/dev/null || + nmcli con add con-name "static-eth1" ifname eth1 + type ethernet ip4 {{ ocp4_workload_rhoso_deployment_nfs_server_ip }}/24 + delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" + become: true changed_when: true - name: Activate static network connection on NFS server - ansible.builtin.command: - cmd: >- - ssh -i {{ ocp4_workload_rhoso_deployment_nfs_ssh_key }} - -o StrictHostKeyChecking=no - {{ ocp4_workload_rhoso_deployment_nfs_ssh_user }}@{{ ocp4_workload_rhoso_deployment_nfs_host }} - "sudo nmcli con up 'static-eth1'" - delegate_to: bastion + ansible.builtin.raw: nmcli con up "static-eth1" + delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" + become: true changed_when: true - name: Start and enable NFS server - ansible.builtin.command: - cmd: >- - ssh -i {{ ocp4_workload_rhoso_deployment_nfs_ssh_key }} - -o StrictHostKeyChecking=no - {{ ocp4_workload_rhoso_deployment_nfs_ssh_user }}@{{ ocp4_workload_rhoso_deployment_nfs_host }} - "sudo systemctl enable --now nfs-server" - delegate_to: bastion + ansible.builtin.raw: systemctl enable --now nfs-server + delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" + become: true changed_when: true - name: Export NFS shares - ansible.builtin.command: - cmd: >- - ssh -i {{ ocp4_workload_rhoso_deployment_nfs_ssh_key }} - -o StrictHostKeyChecking=no - {{ ocp4_workload_rhoso_deployment_nfs_ssh_user }}@{{ ocp4_workload_rhoso_deployment_nfs_host }} - "sudo exportfs -ra" - delegate_to: bastion + ansible.builtin.raw: exportfs -ra + delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" + become: true changed_when: true - name: Verify NFS exports - ansible.builtin.command: - cmd: >- - ssh -i {{ ocp4_workload_rhoso_deployment_nfs_ssh_key }} - -o StrictHostKeyChecking=no - {{ ocp4_workload_rhoso_deployment_nfs_ssh_user }}@{{ ocp4_workload_rhoso_deployment_nfs_host }} - "sudo exportfs -v" - delegate_to: bastion + ansible.builtin.raw: exportfs -v + delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" + become: true register: _ocp4_workload_rhoso_deployment_nfs_exports changed_when: false diff --git a/roles/ocp4_workload_rhoso_deployment/tasks/setup_hosts.yml b/roles/ocp4_workload_rhoso_deployment/tasks/setup_hosts.yml new file mode 100644 index 0000000..354abbb --- /dev/null +++ b/roles/ocp4_workload_rhoso_deployment/tasks/setup_hosts.yml @@ -0,0 +1,38 @@ +--- +# Resolve cluster-internal VM hostnames from the bastion (which has cluster DNS) +# and update their inventory entries so the EE can reach them via ProxyJump. +# This runs once at the start of the workload and makes all delegate_to tasks work natively. + +- name: Resolve {{ ocp4_workload_rhoso_deployment_nfs_host }} IP from bastion DNS + ansible.builtin.command: + cmd: "getent hosts {{ ocp4_workload_rhoso_deployment_nfs_host }}" + delegate_to: bastion + register: _ocp4_workload_rhoso_deployment_nfs_addr + changed_when: false + +- name: Resolve {{ ocp4_workload_rhoso_deployment_compute_host }} IP from bastion DNS + ansible.builtin.command: + cmd: "getent hosts {{ ocp4_workload_rhoso_deployment_compute_host }}" + delegate_to: bastion + register: _ocp4_workload_rhoso_deployment_compute_addr + changed_when: false + +- name: Update {{ ocp4_workload_rhoso_deployment_nfs_host }} inventory with resolved IP and bastion ProxyJump + ansible.builtin.add_host: + name: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" + ansible_host: "{{ _ocp4_workload_rhoso_deployment_nfs_addr.stdout.split()[0] }}" + ansible_user: "{{ ocp4_workload_rhoso_deployment_nfs_ssh_user }}" + ansible_ssh_private_key_file: "{{ ocp4_workload_rhoso_deployment_nfs_ssh_key }}" + ansible_ssh_common_args: >- + -o StrictHostKeyChecking=no + -o ProxyJump={{ ansible_user }}@{{ ansible_host }}:{{ ansible_port | default(22) }} + +- name: Update {{ ocp4_workload_rhoso_deployment_compute_host }} inventory with resolved IP and bastion ProxyJump + ansible.builtin.add_host: + name: "{{ ocp4_workload_rhoso_deployment_compute_host }}" + ansible_host: "{{ _ocp4_workload_rhoso_deployment_compute_addr.stdout.split()[0] }}" + ansible_user: "{{ ocp4_workload_rhoso_deployment_compute_ssh_user }}" + ansible_ssh_private_key_file: "{{ ocp4_workload_rhoso_deployment_compute_ssh_key }}" + ansible_ssh_common_args: >- + -o StrictHostKeyChecking=no + -o ProxyJump={{ ansible_user }}@{{ ansible_host }}:{{ ansible_port | default(22) }} diff --git a/roles/ocp4_workload_rhoso_deployment/tasks/workload.yml b/roles/ocp4_workload_rhoso_deployment/tasks/workload.yml index 43cde98..9017f87 100644 --- a/roles/ocp4_workload_rhoso_deployment/tasks/workload.yml +++ b/roles/ocp4_workload_rhoso_deployment/tasks/workload.yml @@ -1,4 +1,7 @@ --- +- name: Set up cluster-internal VM inventory entries + ansible.builtin.include_tasks: setup_hosts.yml + - name: Prerequisites — install NMState, MetalLB, verify cert-manager ansible.builtin.include_tasks: prerequisites.yml when: ocp4_workload_rhoso_deployment_phase_prerequisites | bool From 22aa4f20b6f0d8d3334e929e85bb242cd8f96eda Mon Sep 17 00:00:00 2001 From: Prakhar Srivastava <31232641+prakhar1985@users.noreply.github.com> Date: Tue, 21 Apr 2026 20:15:34 +1000 Subject: [PATCH 08/10] fix: simplify setup_hosts using existing AgnosticD inventory variables AgnosticD already sets public_ip_address, bastion_ssh_port and ansible_user on isolated VM hosts. ProxyJump resolves the destination hostname from the bastion (not the EE), so no getent needed. Just add ansible_ssh_common_args. Remove unneeded nfs_ssh_user/key and compute_ssh_user/key variables. --- .../defaults/main.yml | 13 +---- .../tasks/setup_hosts.yml | 49 ++++++------------- 2 files changed, 18 insertions(+), 44 deletions(-) diff --git a/roles/ocp4_workload_rhoso_deployment/defaults/main.yml b/roles/ocp4_workload_rhoso_deployment/defaults/main.yml index 6bd7c39..82c9602 100644 --- a/roles/ocp4_workload_rhoso_deployment/defaults/main.yml +++ b/roles/ocp4_workload_rhoso_deployment/defaults/main.yml @@ -20,19 +20,11 @@ ocp4_workload_rhoso_deployment_bastion_ssh_private_key: "{{ bastion_ssh_key_path ocp4_workload_rhoso_deployment_bastion_ssh_public_key: "{{ bastion_ssh_pubkey_path | default('~/.ssh/bastion_' ~ guid ~ '.pub') }}" # ============================================================================ -# Inventory hostnames — override if your inventory uses different names +# Inventory hostnames — must match what AgnosticD sets in add_host # ============================================================================ ocp4_workload_rhoso_deployment_nfs_host: "nfsserver" ocp4_workload_rhoso_deployment_compute_host: "compute01" -# SSH access from the bastion to cluster-internal VMs. -# The EE cannot resolve cluster-internal hostnames directly; -# all VM tasks are proxied through the bastion. -ocp4_workload_rhoso_deployment_nfs_ssh_user: "cloud-user" -ocp4_workload_rhoso_deployment_nfs_ssh_key: "~/.ssh/{{ ocp4_workload_rhoso_deployment_guid }}key.pem" -ocp4_workload_rhoso_deployment_compute_ssh_user: "cloud-user" -ocp4_workload_rhoso_deployment_compute_ssh_key: "~/.ssh/{{ ocp4_workload_rhoso_deployment_guid }}key.pem" - # ============================================================================ # Content files — OpenStack YAML manifests shipped in the role's files/ dir. # The role copies these to a working directory on the bastion, then applies them. @@ -40,8 +32,7 @@ ocp4_workload_rhoso_deployment_compute_ssh_key: "~/.ssh/{{ ocp4_workload_rhoso_d ocp4_workload_rhoso_deployment_files_directory: "openstack-files" # Full working directory path on the bastion. -# Uses /tmp to ensure it is writable by any SSH connection user, -# regardless of whether the EE runs as root or a regular user. +# Uses /tmp to ensure it is writable by any SSH connection user. # Override to use a different absolute path. ocp4_workload_rhoso_deployment_workdir: "/tmp/{{ ocp4_workload_rhoso_deployment_files_directory }}" diff --git a/roles/ocp4_workload_rhoso_deployment/tasks/setup_hosts.yml b/roles/ocp4_workload_rhoso_deployment/tasks/setup_hosts.yml index 354abbb..412991f 100644 --- a/roles/ocp4_workload_rhoso_deployment/tasks/setup_hosts.yml +++ b/roles/ocp4_workload_rhoso_deployment/tasks/setup_hosts.yml @@ -1,38 +1,21 @@ --- -# Resolve cluster-internal VM hostnames from the bastion (which has cluster DNS) -# and update their inventory entries so the EE can reach them via ProxyJump. -# This runs once at the start of the workload and makes all delegate_to tasks work natively. +# AgnosticD (infra-openshift-cnv-create-inventory) already adds isolated VMs +# to inventory with: +# ansible_ssh_host: (e.g. nfsserver, compute01) +# public_ip_address: +# bastion_ssh_port: +# ansible_user: cloud-user +# +# The only missing piece is ansible_ssh_common_args with ProxyJump. +# With ProxyJump, the destination hostname is resolved by the JUMP HOST (bastion), +# not by the EE — so nfsserver/compute01 resolve correctly via cluster DNS. -- name: Resolve {{ ocp4_workload_rhoso_deployment_nfs_host }} IP from bastion DNS - ansible.builtin.command: - cmd: "getent hosts {{ ocp4_workload_rhoso_deployment_nfs_host }}" - delegate_to: bastion - register: _ocp4_workload_rhoso_deployment_nfs_addr - changed_when: false - -- name: Resolve {{ ocp4_workload_rhoso_deployment_compute_host }} IP from bastion DNS - ansible.builtin.command: - cmd: "getent hosts {{ ocp4_workload_rhoso_deployment_compute_host }}" - delegate_to: bastion - register: _ocp4_workload_rhoso_deployment_compute_addr - changed_when: false - -- name: Update {{ ocp4_workload_rhoso_deployment_nfs_host }} inventory with resolved IP and bastion ProxyJump - ansible.builtin.add_host: - name: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" - ansible_host: "{{ _ocp4_workload_rhoso_deployment_nfs_addr.stdout.split()[0] }}" - ansible_user: "{{ ocp4_workload_rhoso_deployment_nfs_ssh_user }}" - ansible_ssh_private_key_file: "{{ ocp4_workload_rhoso_deployment_nfs_ssh_key }}" - ansible_ssh_common_args: >- - -o StrictHostKeyChecking=no - -o ProxyJump={{ ansible_user }}@{{ ansible_host }}:{{ ansible_port | default(22) }} - -- name: Update {{ ocp4_workload_rhoso_deployment_compute_host }} inventory with resolved IP and bastion ProxyJump +- name: Configure isolated VM connections with bastion ProxyJump ansible.builtin.add_host: - name: "{{ ocp4_workload_rhoso_deployment_compute_host }}" - ansible_host: "{{ _ocp4_workload_rhoso_deployment_compute_addr.stdout.split()[0] }}" - ansible_user: "{{ ocp4_workload_rhoso_deployment_compute_ssh_user }}" - ansible_ssh_private_key_file: "{{ ocp4_workload_rhoso_deployment_compute_ssh_key }}" + name: "{{ item }}" ansible_ssh_common_args: >- -o StrictHostKeyChecking=no - -o ProxyJump={{ ansible_user }}@{{ ansible_host }}:{{ ansible_port | default(22) }} + -o ProxyJump={{ hostvars[item]['ansible_user'] | default('cloud-user') }}@{{ hostvars[item]['public_ip_address'] }}:{{ hostvars[item]['bastion_ssh_port'] }} + loop: + - "{{ ocp4_workload_rhoso_deployment_nfs_host }}" + - "{{ ocp4_workload_rhoso_deployment_compute_host }}" From c8b9cc641c1ae772af1c42e6950e6f3dc453d92e Mon Sep 17 00:00:00 2001 From: Prakhar Srivastava <31232641+prakhar1985@users.noreply.github.com> Date: Tue, 21 Apr 2026 21:41:49 +1000 Subject: [PATCH 09/10] =?UTF-8?q?fix:=20remove=20setup=5Fhosts=20=E2=80=94?= =?UTF-8?q?=20EE=20inventory=20already=20handles=20isolated=20VM=20connect?= =?UTF-8?q?ions?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/ocp4_workload_rhoso_deployment/tasks/workload.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/roles/ocp4_workload_rhoso_deployment/tasks/workload.yml b/roles/ocp4_workload_rhoso_deployment/tasks/workload.yml index 9017f87..43cde98 100644 --- a/roles/ocp4_workload_rhoso_deployment/tasks/workload.yml +++ b/roles/ocp4_workload_rhoso_deployment/tasks/workload.yml @@ -1,7 +1,4 @@ --- -- name: Set up cluster-internal VM inventory entries - ansible.builtin.include_tasks: setup_hosts.yml - - name: Prerequisites — install NMState, MetalLB, verify cert-manager ansible.builtin.include_tasks: prerequisites.yml when: ocp4_workload_rhoso_deployment_phase_prerequisites | bool From 66f9bfced78251a475f61176391302a2a8192f5f Mon Sep 17 00:00:00 2001 From: Prakhar Srivastava <31232641+prakhar1985@users.noreply.github.com> Date: Tue, 21 Apr 2026 21:47:22 +1000 Subject: [PATCH 10/10] fix: restore setup_hosts with ProxyCommand StrictHostKeyChecking fix MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit AgnosticD does NOT configure SSH proxy for isolated hosts — they are excluded from direct SSH plays (hosts: all:!isolated). We must configure the proxy ourselves. Use ProxyCommand (not ProxyJump) so StrictHostKeyChecking=no applies to both the bastion hop and final destination. --- .../tasks/setup_hosts.yml | 25 +++++++++++-------- .../tasks/workload.yml | 3 +++ 2 files changed, 17 insertions(+), 11 deletions(-) diff --git a/roles/ocp4_workload_rhoso_deployment/tasks/setup_hosts.yml b/roles/ocp4_workload_rhoso_deployment/tasks/setup_hosts.yml index 412991f..66f5e55 100644 --- a/roles/ocp4_workload_rhoso_deployment/tasks/setup_hosts.yml +++ b/roles/ocp4_workload_rhoso_deployment/tasks/setup_hosts.yml @@ -1,21 +1,24 @@ --- -# AgnosticD (infra-openshift-cnv-create-inventory) already adds isolated VMs -# to inventory with: -# ansible_ssh_host: (e.g. nfsserver, compute01) -# public_ip_address: -# bastion_ssh_port: -# ansible_user: cloud-user +# AgnosticD excludes isolated VMs from direct SSH plays (hosts: all:!isolated) +# so no SSH proxy is configured for them in the EE inventory. +# We configure the proxy here using variables AgnosticD already sets: +# public_ip_address: bastion external SSH hostname +# bastion_ssh_port: bastion NodePort +# ansible_user: cloud-user # -# The only missing piece is ansible_ssh_common_args with ProxyJump. -# With ProxyJump, the destination hostname is resolved by the JUMP HOST (bastion), -# not by the EE — so nfsserver/compute01 resolve correctly via cluster DNS. +# ProxyCommand (not ProxyJump) is used so that -o StrictHostKeyChecking=no +# and -o UserKnownHostsFile=/dev/null apply to BOTH the bastion hop and +# the final VM connection, preventing interactive host-key prompts in AAP. -- name: Configure isolated VM connections with bastion ProxyJump +- name: Configure isolated VM connections via bastion ProxyCommand ansible.builtin.add_host: name: "{{ item }}" ansible_ssh_common_args: >- -o StrictHostKeyChecking=no - -o ProxyJump={{ hostvars[item]['ansible_user'] | default('cloud-user') }}@{{ hostvars[item]['public_ip_address'] }}:{{ hostvars[item]['bastion_ssh_port'] }} + -o UserKnownHostsFile=/dev/null + -o "ProxyCommand=ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null + -W %h:%p -p {{ hostvars[item]['bastion_ssh_port'] }} + {{ hostvars[item]['ansible_user'] | default('cloud-user') }}@{{ hostvars[item]['public_ip_address'] }}" loop: - "{{ ocp4_workload_rhoso_deployment_nfs_host }}" - "{{ ocp4_workload_rhoso_deployment_compute_host }}" diff --git a/roles/ocp4_workload_rhoso_deployment/tasks/workload.yml b/roles/ocp4_workload_rhoso_deployment/tasks/workload.yml index 43cde98..8440fdc 100644 --- a/roles/ocp4_workload_rhoso_deployment/tasks/workload.yml +++ b/roles/ocp4_workload_rhoso_deployment/tasks/workload.yml @@ -1,4 +1,7 @@ --- +- name: Set up bastion ProxyCommand for isolated VM connections + ansible.builtin.include_tasks: setup_hosts.yml + - name: Prerequisites — install NMState, MetalLB, verify cert-manager ansible.builtin.include_tasks: prerequisites.yml when: ocp4_workload_rhoso_deployment_phase_prerequisites | bool