libvirt: deploy libvirt on the host

In some cases it may be desirable to run libvirt daemon on the host. For
example, when mixing host and container OS distributions.

This change makes it possible to disable the nova_libvirt container, by
setting kolla_enable_nova_libvirt_container to false.

The stackhpc.libvirt-host role is used in order to install and configure
a libvirt daemon on compute hosts when
kolla_enable_nova_libvirt_container is false.

Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/825357
Depends-On: https://review.opendev.org/c/openstack/kayobe-config-dev/+/829225
Depends-On: stackhpc/ansible-role-libvirt-host#51

Story: 2009858
Task: 44495

Change-Id: I73fef63fb886a9d543d2f4231fb009523495edb3
(cherry picked from commit c4b74f4)

Author: markgoddard

ansible/compute-libvirt-host.yml

@@ -0,0 +1,56 @@
+---
+- name: Ensure the libvirt daemon is configured
+  hosts: compute
+  tags:
+    - libvirt-host
+  tasks:
+    - name: Ensure Ceph package repository is available
+      package:
+        name: "centos-release-ceph-{{ compute_libvirt_ceph_repo_release }}"
+        state: present
+      when:
+        - compute_libvirt_enabled | bool
+        - ansible_facts.distribution in ['CentOS', 'Rocky']
+        - compute_libvirt_ceph_repo_install | bool
+      become: true
+
+    - name: Include stackhpc.libvirt-host role
+      include_role:
+        name: stackhpc.libvirt-host
+      vars:
+        libvirt_host_libvirtd_conf: "{{ compute_libvirt_conf }}"
+        libvirt_host_qemu_conf: "{{ compute_qemu_conf }}"
+        libvirt_host_tcp_listen: "{{ not compute_libvirt_enable_tls | bool }}"
+        libvirt_host_tcp_listen_address: "{{ internal_net_name | net_ip }}:16509"
+        libvirt_host_tls_listen: "{{ compute_libvirt_enable_tls | bool }}"
+        libvirt_host_tls_listen_address: "{{ internal_net_name | net_ip }}:16514"
+        # TLS server and client certificates.
+        libvirt_host_tls_server_cert: >-
+          {{ lookup('file', lookup('first_found', lookup_params | combine({'files': ['servercert.pem']})))
+             if libvirt_host_tls_listen | default(False) | bool else '' }}
+        libvirt_host_tls_server_key: >-
+          {{ lookup('file', lookup('first_found', lookup_params | combine({'files': ['serverkey.pem']})))
+             if libvirt_host_tls_listen | default(False) | bool else '' }}
+        libvirt_host_tls_client_cert: >-
+          {{ lookup('file', lookup('first_found', lookup_params | combine({'files': ['clientcert.pem']})))
+             if libvirt_host_tls_listen | default(False) | bool else '' }}
+        libvirt_host_tls_client_key: >-
+          {{ lookup('file', lookup('first_found', lookup_params | combine({'files': ['clientkey.pem']})))
+             if libvirt_host_tls_listen | default(False) | bool else '' }}
+        libvirt_host_tls_cacert: >-
+          {{ lookup('file', lookup('first_found', lookup_params | combine({'files': ['cacert.pem']})))
+             if libvirt_host_tls_listen | default(False) | bool else '' }}
+        lookup_params:
+          paths: "{{ libvirt_tls_cert_paths }}"
+          skip: true
+        # Support loading libvirt TLS certificates & keys from per-host and
+        # global locations.
+        libvirt_tls_cert_paths: >-
+          {{ (libvirt_tls_cert_dirs | unique | product([inventory_hostname]) | map('path_join') | list +
+              libvirt_tls_cert_dirs | unique | list) | list }}
+        libvirt_tls_cert_dirs:
+          - "{{ kayobe_env_config_path }}/certificates/libvirt"
+          - "{{ kayobe_config_path }}/certificates/libvirt"
+        libvirt_host_enable_efi_support: true
+      when:
+        - compute_libvirt_enabled | bool

ansible/group_vars/all/compute

@@ -154,3 +154,54 @@ compute_firewalld_default_zone:
 # - permanent: true
 # - state: enabled
 compute_firewalld_rules: []
+
+###############################################################################
+# Compute node host libvirt configuration.
+
+# Whether to enable a host libvirt daemon. Default is true if kolla_enable_nova
+# is true and kolla_enable_nova_libvirt_container is false.
+compute_libvirt_enabled: "{{ kolla_enable_nova | bool and not kolla_enable_nova_libvirt_container | bool }}"
+
+# A dict of default configuration options to write to
+# /etc/libvirt/libvirtd.conf.
+compute_libvirt_conf_default:
+  auth_tcp: "none"
+  log_level: "{{ compute_libvirtd_log_level }}"
+
+# A dict of additional configuration options to write to
+# /etc/libvirt/libvirtd.conf.
+compute_libvirt_conf_extra: {}
+
+# A dict of configuration options to write to /etc/libvirt/libvirtd.conf.
+# Default is a combination of compute_libvirt_conf_default and
+# compute_libvirt_conf_extra.
+compute_libvirt_conf: "{{ compute_libvirt_conf_default | combine(compute_libvirt_conf_extra) }}"
+
+# Numerical log level for libvirtd. Default is 3.
+compute_libvirtd_log_level: 3
+
+# A dict of default configuration options to write to
+# /etc/libvirt/qemu.conf.
+compute_qemu_conf_default:
+  max_files: 32768
+  max_processes: 131072
+
+# A dict of additional configuration options to write to
+# /etc/libvirt/qemu.conf.
+compute_qemu_conf_extra: {}
+
+# A dict of configuration options to write to /etc/libvirt/qemu.conf.
+# Default is a combination of compute_qemu_conf_default and
+# compute_qemu_conf_extra.
+compute_qemu_conf: "{{ compute_qemu_conf_default | combine(compute_qemu_conf_extra) }}"
+
+# Whether to enable a libvirt TLS listener. Default is false.
+compute_libvirt_enable_tls: false
+
+# Whether to install a Ceph package repository on CentOS and Rocky hosts.
+# Default is true.
+compute_libvirt_ceph_repo_install: true
+
+# Ceph package repository release to install on CentOS and Rocky hosts when
+# compute_libvirt_ceph_repo_install is true. Default is 'pacific'.
+compute_libvirt_ceph_repo_release: pacific

ansible/group_vars/all/kolla

@@ -559,6 +559,7 @@ kolla_enable_murano: "no"
 kolla_enable_neutron_mlnx: "no"
 kolla_enable_neutron_provider_networks: "no"
 kolla_enable_neutron_sriov: "no"
+kolla_enable_nova_libvirt_container: "yes"
 kolla_enable_octavia: "no"
 kolla_enable_openvswitch: "{{ kolla_enable_neutron | bool }}"
 kolla_enable_ovn: "no"

ansible/kolla-ansible.yml

@@ -103,6 +103,7 @@
         kolla_inspector_netmask: "{{ inspection_net_name | net_mask }}"
         kolla_inspector_default_gateway: "{{ inspection_net_name | net_inspection_gateway or inspection_net_name | net_gateway }}"
         kolla_inspector_extra_kernel_options: "{{ inspector_extra_kernel_options }}"
+        kolla_libvirt_tls: "{{ compute_libvirt_enable_tls | bool }}"
         kolla_enable_host_ntp: false
         docker_daemon_mtu: "{{ public_net_name | net_mtu | default }}"
         kolla_globals_paths_extra:

ansible/kolla-openstack.yml

@@ -246,3 +246,5 @@
       kolla_extra_sahara: "{{ kolla_extra_config.sahara | default }}"
       kolla_extra_zookeeper: "{{ kolla_extra_config.zookeeper | default }}"
       kolla_extra_config_path: "{{ kayobe_env_config_path }}/kolla/config"
+      kolla_libvirt_tls: "{{ compute_libvirt_enable_tls | bool }}"
+      kolla_nova_libvirt_certificates_src: "{{ kayobe_env_config_path }}/certificates/libvirt"

ansible/roles/kolla-ansible/defaults/main.yml

@@ -231,6 +231,8 @@ kolla_openstack_logging_debug:
 # controllers.
 kolla_nova_compute_ironic_host:
 
+kolla_libvirt_tls:
+
 ###############################################################################
 # Extra free-form configuraton.
 

ansible/roles/kolla-ansible/templates/kolla/globals.yml

@@ -375,6 +375,10 @@ enable_{{ feature_flag }}: {{ hostvars[inventory_hostname]['kolla_enable_' ~ fea
 # Valid options are [ none, novnc, spice, rdp ]
 #nova_console: "novnc"
 
+{% if kolla_libvirt_tls is not none %}
+libvirt_tls: {{ kolla_libvirt_tls | bool }}
+{% endif %}
+
 #################
 # Hyper-V options
 #################

ansible/roles/kolla-ansible/vars/main.yml

@@ -181,6 +181,7 @@ kolla_feature_flags:
   - nova
   - nova_fake
   - nova_horizon_policy_file
+  - nova_libvirt_container
   - nova_serialconsole_proxy
   - nova_ssh
   - octavia

ansible/roles/kolla-openstack/defaults/main.yml

@@ -447,9 +447,19 @@ kolla_extra_neutron_ml2:
 # Whether to enable Nova.
 kolla_enable_nova:
 
+# Whether to enable Nova libvirt container.
+kolla_enable_nova_libvirt_container:
+
 # Free form extra configuration to append to nova.conf.
 kolla_extra_nova:
 
+# Whether libvirt TLS is enabled.
+kolla_libvirt_tls:
+
+# Directory containing libvirt certificates for nova-compute when running
+# libvirt on the host.
+kolla_nova_libvirt_certificates_src:
+
 ###############################################################################
 # Octavia configuration.
 

ansible/roles/kolla-openstack/molecule/enable-everything/molecule.yml

@@ -15,7 +15,7 @@ provisioner:
   inventory:
     group_vars:
       all:
-        kolla_extra_config_path:
+        kolla_extra_config_path: ${MOLECULE_TEMP_PATH:-/tmp}/molecule/kolla/config
         kolla_enable_aodh: true
         kolla_extra_aodh: |
           [extra-aodh.conf]
@@ -116,9 +116,12 @@ provisioner:
           [extra-ml2_conf.ini]
           foo=bar
         kolla_enable_nova: true
+        kolla_enable_nova_libvirt_container: false
         kolla_extra_nova: |
           [extra-nova.conf]
           foo=bar
+        kolla_libvirt_tls: true
+        kolla_nova_libvirt_certificates_src: ${MOLECULE_TEMP_PATH:-/tmp}/molecule/nova-libvirt/certificates
         kolla_enable_octavia: true
         kolla_extra_octavia: |
           [extra-octavia.conf]