pre-update
==========

.. _pre-update_check-for-dangling-images:

check-for-dangling-images
-------------------------

Check for podman dangling images.

Make sure before update we do not have any dangling images.


- **hosts**: undercloud
- **groups**: pre-update
- **parameters**:

  - **check_for_dangling_images_debug**: False
- **roles**: check_for_dangling_images

Role documentation

.. toctree::

   roles/role-check_for_dangling_images

.. _pre-update_compute-tsx:

compute-tsx
-----------

RHEL8.x kernel flag for Compute nodes validation.

RHEL-8.3 kernel disabled the Intel TSX (Transactional
Synchronization Extensions) feature by default as a preemptive
security measure, but it breaks live migration from RHEL-7.9
(or even RHEL-8.1 or RHEL-8.2) to RHEL-8.3.

Operators are expected to explicitly define the TSX flag in
their KernelArgs for the compute role to prevent live-migration
issues during the upgrade process.

This also impacts upstream CentOS systems.


- **hosts**: nova_libvirt
- **groups**: pre-upgrade, pre-system-upgrade, pre-overcloud-prepare, pre-overcloud-upgrade, pre-overcloud-converge, pre-update, pre-update-prepare, pre-update-run, pre-update-converge
- **parameters**:

  - **compute_tsx_debug**: False

  - **compute_tsx_warning**: False
- **roles**: compute_tsx

Role documentation

.. toctree::

   roles/role-compute_tsx

.. _pre-update_container-status:

container-status
----------------

Ensure container status.

Detect failed containers and raise an error.


- **hosts**: undercloud, allovercloud
- **groups**: backup-and-restore, pre-upgrade, pre-update, post-deployment, post-upgrade
- **parameters**:
- **roles**: container_status

Role documentation

.. toctree::

   roles/role-container_status

.. _pre-update_openstack-endpoints:

openstack-endpoints
-------------------

Check connectivity to various OpenStack services.

This validation gets the PublicVip address from the deployment and
tries to access Horizon and get a Keystone token.


- **hosts**: undercloud
- **groups**: post-deployment, pre-upgrade, post-upgrade, pre-update, post-update
- **parameters**:
- **roles**: openstack_endpoints

Role documentation

.. toctree::

   roles/role-openstack_endpoints

.. _pre-update_package-version:

package-version
---------------

package-version.

Ensures we can access the wanted package version. Especially useful
when you are switching repositories, for instance during an upgrade.


- **hosts**: all
- **groups**: prep, pre-deployment, pre-upgrade, pre-update, pre-system-upgrade, pre-undercloud-upgrade, pre-overcloud-prepare, pre-overcloud-upgrade, pre-overcloud-converge, pre-ceph
- **parameters**:

  - **package_version_debug**: False
- **roles**: package_version

Role documentation

.. toctree::

   roles/role-package_version

.. _pre-update_repos:

repos
-----

Check correctness of current repositories.

Detect whether the repositories listed in `yum repolist`
can be connected to and that there is at least one repo
configured.

Detect if there are any unwanted repositories (such as EPEL) enabled.


- **hosts**: undercloud, allovercloud
- **groups**: pre-upgrade, pre-update
- **parameters**:
- **roles**: repos

Role documentation

.. toctree::

   roles/role-repos

.. _pre-update_system-encoding:

system-encoding
---------------

System encoding.

Ensure the local is unicode


- **hosts**: all
- **groups**: pre-deployment, pre-upgrade, pre-update
- **parameters**:

  - **system_encoding_debug**: False
- **roles**: system_encoding

Role documentation

.. toctree::

   roles/role-system_encoding

.. _pre-update_undercloud-disabled-services:

undercloud-disabled-services
----------------------------

Verify undercloud services state before running update or upgrade.

Check undercloud status before running a stack update - especially minor update and major upgrade.


- **hosts**: undercloud
- **groups**: backup-and-restore, post-upgrade, pre-upgrade, post-update, pre-update
- **parameters**:
- **roles**: undercloud_disabled_services

Role documentation

.. toctree::

   roles/role-undercloud_disabled_services

.. _pre-update_undercloud-ipa-server-check:

undercloud-ipa-server-check
---------------------------

Verify that the IPA server has the right permissions and ACI.

This validation is relevant for systems where TLS Everywhere is enabled.

A new ACI is needed on the FreeIPA server to ensure that certificates with IP SANs can be
issued. This ACI will be delivered by default from FreeIPA 4.8.5.

In addition, a new permission is needed to add DNS zones for tripleo-ipa. This
permission is an addition to the current permissions for the Nova Host Manager role.

This validation confirms that the new permission and ACI are present.

https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features/tls-introduction.html


- **hosts**: undercloud
- **groups**: pre-upgrade, pre-update
- **parameters**:
- **roles**: tls_everywhere

Role documentation

.. toctree::

   roles/role-tls_everywhere

.. _pre-update_undercloud-proxy-validation:

undercloud-proxy-validation
---------------------------

Verify proxy variables are properly set.

Check proxy configuration before running a stack update - especially minor update and major upgrade.


- **hosts**: undercloud
- **groups**: backup-and-restore, post-upgrade, pre-upgrade, post-update, pre-update
- **parameters**:
- **roles**: undercloud_proxy_validation

Role documentation

.. toctree::

   roles/role-undercloud_proxy_validation

.. _pre-update_undercloud-service-status:

undercloud-service-status
-------------------------

Verify undercloud services state before running update or upgrade.

Check undercloud status before running a stack update - especially minor update and major upgrade.


- **hosts**: undercloud
- **groups**: backup-and-restore, post-upgrade, pre-upgrade, post-update, pre-update
- **parameters**:
- **roles**: undercloud_service_status

Role documentation

.. toctree::

   roles/role-undercloud_service_status

.. _pre-update_validate-passwords-file:

validate-passwords-file
-----------------------

Check Undercloud passwords file.

Disallow updates if the passwords file is missing.
If the undercloud was already deployed, the passwords file needs to be
present so passwords that can't be changed are persisted.  If the file
is missing it will break the undercloud, so we should fail-fast and let
the user know about the problem.  Both the old and new path to the file
is checked.  If either is found, the validation will pass as the old
path will be migrated to the new during and update/upgrade.


- **hosts**: undercloud
- **groups**: prep, pre-upgrade, pre-update
- **parameters**:
- **roles**: validate_passwords_file

Role documentation

.. toctree::

   roles/role-validate_passwords_file
