edpm_iscsid: Move iscsid from container to host

Update the edpm_iscsid tasks to (re)deploy the iscsid daemon on
the EDPM host instead of running it in a container. This helps
avoid a number of historical customer support issues, and
facilitates booting an EDPM host from an iSCSI SAN volume.

The new tasks support the following deployment scenarios:
- Greenfield
- Brownfield, where iscsid was previsouly running in a container
- Adoption, where iscsid was previsouly running in a container
  that was managed by tripleo.

Update multipathd and nova_compute volume mounts to not relabel
the SELinux context on the iscsi directories. Running iscsid on
the host also requires nova_compute to run iscsiadm on the host.

Closes: OSPRH-17176

Author: ASBishop

roles/edpm_download_cache/tasks/container_images.yml

@@ -8,15 +8,6 @@
     - edpm_podman
     - download_cache
 
-- name: Download images for edpm_iscsid role
-  when: '"nova" in edpm_download_cache_running_services'
-  ansible.builtin.include_role:
-    name: osp.edpm.edpm_iscsid
-    tasks_from: download_cache.yml
-  tags:
-    - edpm_iscsid
-    - download_cache
-
 - name: Download images for edpm_ovn role
   when: '"ovn" in edpm_download_cache_running_services'
   ansible.builtin.include_role:

roles/edpm_download_cache/tasks/packages.yml

@@ -66,3 +66,13 @@
   tags:
     - edpm_libvirt
     - download_cache
+
+- name: Download packages for edpm_iscsid role
+  # iscsid is part of the "nova" EDPM service
+  when: '"nova" in edpm_download_cache_running_services'
+  ansible.builtin.include_role:
+    name: osp.edpm.edpm_iscsid
+    tasks_from: download_cache.yml
+  tags:
+    - edpm_iscsid
+    - download_cache

roles/edpm_iscsid/defaults/main.yml

@@ -20,23 +20,13 @@
 # All variables within this role should have a prefix of "edpm_iscsid"
 
 # seconds between retries for download tasks
-edpm_iscsid_image_download_delay: "{{ edpm_download_delay | default(60) }}"
+edpm_iscsid_download_delay: "{{ edpm_download_delay | default(60) }}"
 
 # number of retries for download tasks
-edpm_iscsid_image_download_retries: "{{ edpm_download_retries | default(5) }}"
+edpm_iscsid_download_retries: "{{ edpm_download_retries | default(5) }}"
 
-edpm_iscsid_debug: "{{ (ansible_verbosity | int) >= 2 | bool }}"
-
-edpm_iscsid_image: "quay.io/podified-antelope-centos9/openstack-iscsid:current-podified"
-edpm_iscsid_volumes:
-  - /var/lib/kolla/config_files/iscsid.json:/var/lib/kolla/config_files/config.json:ro
-  - /dev:/dev
-  - /run:/run
-  - /sys:/sys
-  - /lib/modules:/lib/modules:ro
-  - /etc/iscsi:/etc/iscsi:z
-  - /etc/target:/etc/target:z
-  - /var/lib/iscsi:/var/lib/iscsi:z
+edpm_iscsid_packages:
+  - iscsi-initiator-utils
 
 edpm_iscsid_chap_algs: >-
   {{
@@ -45,5 +35,9 @@ edpm_iscsid_chap_algs: >-
     default('check', true) == 'enabled') |
     ternary('', ',SHA1,MD5')
   }}
-# if container health check should be enabled
-edpm_iscsid_healthcheck: true
+
+edpm_iscsid_legacy_services:
+  - tripleo_iscsid.service
+  - edpm_iscsid.service
+
+edpm_iscsid_tripleo_config_dir: '/var/lib/config-data/puppet-generated/iscsid/etc/iscsi'

roles/edpm_iscsid/handlers/main.yml

@@ -1,8 +1,7 @@
 ---
 
-- name: Record the iscsid container restart is required
+- name: Restart the iscsid service
   become: true
-  ansible.builtin.file:
-    path: /etc/iscsi/.iscsid_restart_required
-    state: touch
-    mode: "0600"
+  ansible.builtin.systemd_service:
+    name: iscsid
+    state: restarted

roles/edpm_iscsid/meta/argument_specs.yml

@@ -4,43 +4,33 @@ argument_specs:
   main:
     short_description: The main entry point for the edpm_iscsid role.
     options:
-      edpm_iscsid_image_download_delay:
+      edpm_iscsid_download_delay:
         type: int
-        default: 5
+        default: 60
         description: The seconds between retries for failed download tasks
-      edpm_iscsid_image_download_retries:
+      edpm_iscsid_download_retries:
         type: int
         default: 5
         description: The number of retries for failed download tasks
-      edpm_iscsid_debug:
-        type: bool
-        default: false
-        description: |
-          Produce additional text messages describing role operation.
-          Set to false by default using following template:
-          {{ (ansible_verbosity | int) >= 2 | bool }}
-      edpm_iscsid_image:
-        type: str
-        default: "quay.io/podified-antelope-centos9/openstack-iscsid:current-podified"
-        description: URL of the iscsid container image.
-      edpm_iscsid_volumes:
+      edpm_iscsid_packages:
         type: list
+        description: The list of packages to install for iscsid.
         default:
-          - /var/lib/kolla/config_files/iscsid.json:/var/lib/kolla/config_files/config.json:ro
-          - /dev:/dev
-          - /run:/run
-          - /sys:/sys
-          - /lib/modules:/lib/modules:ro
-          - /etc/iscsi:/etc/iscsi:z
-          - /etc/target:/etc/target:z
-          - /var/lib/iscsi:/var/lib/iscsi:z
-        description: List of iscsid volume mounts with permissions.
+          - iscsi-initiator-utils
       edpm_iscsid_chap_algs:
         type: str
         default: 'SHA3-256,SHA256,SHA1,MD5'
         description: List of allowed CHAP algorithms.
-      edpm_iscsid_healthcheck:
-        type: bool
-        default: true
+      edpm_iscsid_legacy_services:
+        type: list
+        description: |
+          The list of legacy containerized services associated with adoption
+          and brownfield deployment scenarios.
+        default:
+          - tripleo_iscsid.service
+          - edpm_iscsid.service
+      edpm_iscsid_tripleo_config_dir:
+        type: str
+        default: '/var/lib/config-data/puppet-generated/iscsid/etc/iscsi'
         description: |
-          Enable container health check injection
+          The directory containing the iscsid configuration generated by tripleo.

roles/edpm_iscsid/tasks/cleanup_containers.yml

@@ -0,0 +1,40 @@
+---
+# Copyright 2025 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Gather services facts
+  ansible.builtin.service_facts:
+
+- name: Identify legacy iscsid containerized services
+  ansible.builtin.set_fact:
+    legacy_iscsid_services: "{{ edpm_iscsid_legacy_services | intersect(ansible_facts.services.keys()) }}"
+
+- name: Clean up legacy iscsid containerized services
+  become: true
+  when: legacy_iscsid_services | default([]) | length > 0
+  block:
+    - name: Stop and disable legacy iscsid containerized services
+      # The edpm_tripleo_cleanup role works for stopping and disabling the
+      # legacy tripleo_iscsid.service (adoption scenario) or edpm_iscsid.service
+      # (update scenario).
+      ansible.builtin.include_role:
+        role: osp.edpm.edpm_tripleo_cleanup
+      vars:
+        edpm_old_tripleo_services: "{{ legacy_iscsid_services }}"
+
+    - name: Delete containerized healthcheck script
+      ansible.builtin.file:
+        path: /var/lib/openstack/healthchecks/iscsid
+        state: absent

roles/edpm_iscsid/tasks/configure.yml

@@ -14,8 +14,8 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
-
 - name: Check if the iSCSI initiator name (IQN) has been reset
+  become: true
   ansible.builtin.stat:
     path: /etc/iscsi/.initiator_reset
   register: initiator_reset_state
@@ -29,16 +29,10 @@
   when: not initiator_reset_state.stat.exists
   become: true
   block:
-
     - name: Generate a unique IQN
-      containers.podman.podman_container:
-        name: iscsid_config
-        image: "{{ edpm_iscsid_image }}"
-        rm: true
-        tty: true
-        detach: false
-        command: /usr/sbin/iscsi-iname
+      ansible.builtin.command: /usr/sbin/iscsi-iname
       register: iscsi_iname
+      changed_when: true
 
     - name: Save the new IQN
       ansible.builtin.copy:
@@ -51,21 +45,8 @@
         path: /etc/iscsi/.initiator_reset
         mode: "0600"
         state: touch
-
-- name: Check if /etc/iscsi/iscsid.conf exists on the host
-  ansible.builtin.stat:
-    path: /etc/iscsi/iscsid.conf
-  register: result
-
-- name: Copy iscsid.conf from the iscsid container to the host
-  when: not result.stat.exists
-  containers.podman.podman_container:
-    name: iscsid_config
-    image: "{{ edpm_iscsid_image }}"
-    rm: true
-    command: cp /etc/iscsi/iscsid.conf /host/etc/iscsi/
-    volume:
-      - /etc/iscsi:/host/etc/iscsi
+      notify:
+        - Restart the iscsid service
 
 - name: Write CHAP algorithms
   become: true
@@ -74,4 +55,5 @@
     line: "node.session.auth.chap_algs = {{ edpm_iscsid_chap_algs }}"
     regexp: "^node.session.auth.chap_algs"
     insertafter: "^#node.session.auth.chap.algs"
-  notify: Record the iscsid container restart is required
+  notify:
+    - Restart the iscsid service

roles/edpm_iscsid/tasks/download_cache.yml

@@ -1,11 +1,11 @@
 ---
 
-- name: Download needed container
-  containers.podman.podman_image:
-    name: "{{ edpm_iscsid_image }}"
-    auth_file: "{{ edpm_download_cache_podman_auth_file }}"
+- name: Download iscsid packages
+  ansible.builtin.dnf:
+    name: "{{ edpm_iscsid_packages }}"
+    download_only: true
   become: true
-  register: edpm_iscsid_image_download
-  until: edpm_iscsid_image_download.failed == false
-  retries: "{{ edpm_iscsid_image_download_retries }}"
-  delay: "{{ edpm_iscsid_image_download_delay }}"
+  register: edpm_iscsid_packages_install
+  until: edpm_iscsid_packages_install is succeeded
+  retries: "{{ edpm_iscsid_download_retries }}"
+  delay: "{{ edpm_iscsid_download_delay }}"

roles/edpm_iscsid/tasks/install.yml

@@ -13,48 +13,64 @@
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
+
+- name: Gather ansible_local facts
+  ansible.builtin.setup:
+    gather_subset:
+      - "!all"
+      - "!min"
+      - "local"
+  when:
+    - ansible_local is not defined
+
+- name: Clean up legacy containerized iscsid
+  ansible.builtin.include_tasks: cleanup_containers.yml
+
 - name: Run iscsid install tasks with root privileges
   become: true
   block:
-    - name: Create persistent directories
-      ansible.builtin.file:
-        path: "{{ item.path }}"
-        state: directory
-        setype: "{{ item.setype | default(omit) }}"
-        selevel: "{{ item.selevel | default(omit) }}"
-        recurse: "{{ item.recurse | default(omit) }}"
-        mode: "{{ item.mode | default(omit) }}"
-      loop:
-        - {'path': /etc/iscsi, 'setype': container_file_t, 'mode': '0755'}
-        - {'path': /etc/target, 'setype': container_file_t}
-        - {'path': /var/lib/iscsi, 'setype': container_file_t}
-        - {'path': /var/lib/config-data, 'setype': container_file_t, 'selevel': s0, 'mode': '0755'}
-        - {'path': /var/lib/config-data/ansible-generated/iscsid, 'setype': container_file_t, 'mode': '0755'}
-
-    - name: Stat /lib/systemd/system/iscsid.socket
+    - name: Install iscsid packages
+      tags:
+        - install
+        - edpm_iscsid
+      ansible.builtin.dnf:
+        name: "{{ edpm_iscsid_packages }}"
+        state: present
+      register: edpm_iscsid_packages_install
+      until: edpm_iscsid_packages_install is succeeded
+      retries: "{{ edpm_iscsid_download_retries }}"
+      delay: "{{ edpm_iscsid_download_delay }}"
+      when: ansible_local.bootc is not defined or not ansible_local.bootc
+
+    - name: Detect whether the data plane is being adopted
       ansible.builtin.stat:
-        path: /lib/systemd/system/iscsid.socket
-      register: stat_iscsid_socket
-
-    - name: Stop and disable iscsid.socket service
-      ansible.builtin.systemd:
-        name: iscsid.socket
-        state: stopped
-        enabled: false
-      when: stat_iscsid_socket.stat.exists
-
-    - name: Gather services facts
-      ansible.builtin.service_facts:
-
-    - name: Stop and disable iscsi.service and iscsi-starter.service
-      ansible.builtin.systemd:
-        name: "{{ item }}"
-        state: stopped
-        enabled: false
+        path: "{{ edpm_iscsid_tripleo_config_dir }}"
+      register: tripleo_iscsid_config_dir
+
+    - name: Adopt the iscsid configuration
+      when:
+        - tripleo_iscsid_config_dir.stat.exists
+        - tripleo_iscsid_config_dir.stat.isdir
+      block:
+        - name: Copy the containerized iscsid configuration to the host
+          ansible.builtin.copy:
+            src: "{{ edpm_iscsid_tripleo_config_dir }}/"
+            dest: /etc/iscsi
+            remote_src: true
+            mode: preserve
+
+        - name: Mark the iscsid adoption complete
+          ansible.builtin.command: |
+            mv "{{ edpm_iscsid_tripleo_config_dir }}" "{{ edpm_iscsid_tripleo_config_dir }}.adopted"
+          changed_when: true
+
+    - name: Check SELinux context of iSCSI directories
+      ansible.builtin.command: "/usr/sbin/restorecon -nvr /etc/iscsi /var/lib/iscsi"
+      changed_when: false
+      register: iscsi_selinux_status
+
+    - name: Restore SELinux context of iSCSI directories
+      ansible.builtin.command: "/usr/sbin/restorecon -rF /etc/iscsi /var/lib/iscsi"
       when:
-        - ansible_facts.services[item] is defined
-        - ansible_facts.services[item]["status"] != "not-found"
-        - ansible_facts.services[item]["status"] == "enabled"
-      loop:
-        - iscsi.service
-        - iscsi-starter.service
+        - iscsi_selinux_status.stdout_lines | length > 0
+      changed_when: true