Merge branch 'dev' into main-dev-merge

.ansible-lint

@@ -24,6 +24,7 @@ exclude_paths:
 enable_list:
   - yaml
 skip_list:
+  - meta-runtime[unsupported-version] # We don't want to enforce new Ansible versions for Galaxy
   - experimental
   - ignore-errors # We use ignore_errors for all the assert tasks, which should be acceptable
   - schema # We want to allow single digit version numbers in a role's meta/main.yml file. This is allowed as per https://galaxy.ansible.com/docs/contributing/creating_role.html and https://galaxy.ansible.com/api/v1/platforms/?page=6.

meta/runtime.yml

@@ -1,2 +1,2 @@
 ---
-requires_ansible: '>=2.9.10'
+requires_ansible: '>=2.12.0'

playbooks/README.md

@@ -0,0 +1,8 @@
+
+# List of playbooks
+
+- prepare-for-hana
+- prepare-for-netweaver
+- install-sap-hana
+- install-sap-hana-cluster
+- install-sap-hana-s4

playbooks/sample-sap-hypervisor-redhat_ocp_virt-preconfigure.yml

@@ -0,0 +1,11 @@
+---
+- hosts: all
+  gather_facts: true
+  serial: 1
+  vars:
+    sap_hypervisor_node_platform: redhat_ocp_virt
+
+  tasks:
+    - name: Include Role
+      ansible.builtin.include_role:
+        name: sap_hypervisor_node_preconfigure

playbooks/vars/sample-variables-sap-hypervisor-node-preconfigure-rh_ocp_virt.yml

@@ -0,0 +1,92 @@
+sap_hypervisor_node_preconfigure_cluster_config:
+
+  # URL under which the OCP cluster is reachable
+  cluster_url: ocpcluster.domain.org
+
+  # namespace under which the VMs are created, note this has to be
+  # openshift-sriov-network-operator in case of using SRIOV network
+  # devices
+  vm_namespace: sap
+
+  # Optional, configuration for trident driver for Netapp NFS filer
+  trident:
+    management: management.domain.org
+    data: datalif.netapp.domain.org
+    svm: sap_svm
+    backend: nas_backend
+    aggregate: aggregate_Name
+    username: admin
+    password: xxxxx
+    storage_driver: ontap-nas
+    storage_prefix: ocpv_sap_
+
+  # CPU cores which will be reserved for kubernetes
+  worker_kubernetes_reserved_cpus: "0,1"
+
+  # Storage device used for host path provisioner as local storage.
+  worker_localstorage_device: /dev/vdb
+
+  # detailed configuration for every worker that should be configured
+  # 
+  workers:
+    - name: worker-0                   # name must match the node name
+      networks:                        # Example network config
+        - name: sapbridge              # using a bridge
+          description: SAP bridge
+          state: up
+          type: linux-bridge
+          ipv4:
+            enabled: false
+            auto-gateway: false
+            auto-dns: false
+          bridge:
+            options:
+              stp:
+                enabled: false
+            port:
+              - name: ens1f0           # network IF name
+        - name: storage                # an SRIOV device        
+          interface: ens2f0            # network IF name
+          type: sriov
+
+        - bridge:                      # another bridge
+            options:
+              stp:
+                enabled: false
+            port:
+            - name: ens2f0             # network IF name
+          description: storage
+          mtu: 9000
+          ipv4:
+            address:
+            - ip: 192.168.1.51         # IP config
+              prefix-length: 24
+            auto-dns: false
+            auto-gateway: false
+          enabled: true
+          name: storagebridge
+          state: up
+          type: linux-bridge
+        - name: multi                  # another SRIOV device
+          interface: ens2f1            # network IF name
+          type: sriov
+
+    - name: worker-1                   # second worker configuration
+      networks:                        # Example network config
+        - name: sapbridge              # using a bridge
+          description: SAP bridge
+          state: up
+          type: linux-bridge
+          ipv4:
+            enabled: false
+            auto-gateway: false
+            auto-dns: false
+          bridge:
+            options:
+              stp:
+                enabled: false
+            port:
+              - name: ens1f0           # network IF name
+        - name: storage                # an SRIOV device        
+          interface: ens2f0            # network IF name
+          type: sriov

playbooks/vars/sample-variables-sap-swpm-advanced-mode-s4hana-onehost-install.yml

@@ -10,12 +10,14 @@ sap_install_media_detect_kernel: true
 sap_install_media_detect_webdisp: false
 sap_install_media_detect_db: "saphana"
 
+# Manual set critical software paths
+# sap_swpm_sapcar_path: /software/sapcar
+# sap_swpm_swpm_path: /software/sap_swpm
+# sap_swpm_software_path: /software/sap_download_basket
 
 # NOTE: Values in Dictionary Keys for instance numbers must be string using '01' single quote, otherwise SAP SWPM will crash
 
 sap_swpm_ansible_role_mode: "advanced"
-sap_swpm_sapcar_path: /software/sap_downloads
-sap_swpm_swpm_path: /software/sap_downloads
 
 sap_swpm_product_catalog_id: NW_ABAP_OneHost:S4HANA2020.CORE.HDB.ABAP
 

playbooks/vars/sample-variables-sap-swpm-advanced-templates-mode.yml

@@ -11,9 +11,15 @@ sap_install_media_detect_source: local_dir
 #sap_install_media_detect_webdisp: false
 #sap_install_media_detect_db: "saphana"
 
+# Manual set critical software paths
+# sap_swpm_sapcar_path: /software/sapcar
+# sap_swpm_swpm_path: /software/sap_swpm
+# sap_swpm_software_path: /software/sap_download_basket
 
 # NOTE: Values in Dictionary Keys for instance numbers must be string using '01' single quote, otherwise SAP SWPM will crash
 
+sap_swpm_ansible_role_mode: advanced_templates
+
 sap_swpm_templates_install_dictionary:
 
   sap_system_rename:

roles/sap_anydb_install_oracle/meta/runtime.yml

@@ -0,0 +1,2 @@
+---
+requires_ansible: '>=2.12.0'

roles/sap_general_preconfigure/.ansible-lint

@@ -1,7 +1,10 @@
 ---
+exclude_paths:
+  - tests/
 enable_list:
   - yaml
 skip_list:
+  - meta-runtime[unsupported-version] # We don't want to enforce new Ansible versions for Galaxy
   - ignore-errors # We use ignore_errors for all the assert tasks, which should be acceptable
   - schema # We want to allow single digit version numbers in a role's meta/main.yml file. This is allowed as per https://galaxy.ansible.com/docs/contributing/creating_role.html and https://galaxy.ansible.com/api/v1/platforms/?page=6.
   - name[template] # Allow templating inside name. During dev and qa, it should be possible to identify cases where it doesn't work

roles/sap_general_preconfigure/handlers/main.yml

@@ -24,14 +24,17 @@
     - not sap_general_preconfigure_fail_if_reboot_required|d(true)
     - not sap_general_preconfigure_reboot_ok|d(false)
 
-# Reason for noqa: We want to avoid non-ansible.builtin modules where possible
-- name: Remount /dev/shm # noqa command-instead-of-module
+# Reasons for noqa:
+# - command-instead-of-module: We want to avoid non-ansible.builtin modules where possible
+# - no-changed-when: Remounting does not do any harm and does not affect idempotency.
+- name: Remount /dev/shm # noqa command-instead-of-module no-changed-when
   ansible.builtin.command: mount -o remount /dev/shm
   listen: __sap_general_preconfigure_mount_tmpfs_handler
 
 - name: Check if /dev/shm is available
   ansible.builtin.command: df -h /dev/shm
   register: __sap_general_preconfigure_command_df_shm_result
+  changed_when: false
   listen: __sap_general_preconfigure_mount_tmpfs_handler
 
 - name: Show the result of df -h /dev/shm

roles/sap_general_preconfigure/meta/runtime.yml

@@ -1,2 +1,2 @@
 ---
-requires_ansible: '>=2.9.10'
+requires_ansible: '>=2.12.0'

roles/sap_general_preconfigure/tasks/RedHat/assert-installation.yml

@@ -181,7 +181,8 @@
     - sap_general_preconfigure_min_package_check|bool
     - __sap_general_preconfigure_min_pkgs | d([])
   block:
-    - name: Assert - Create a list of minimum required package versions to be installed
+# Reason for noqa: We can safely fail at the last command in the pipeline.
+    - name: Assert - Create a list of minimum required package versions to be installed # noqa risky-shell-pipe
 # How does it work?
 # 1 - Print the required package name and version with a prefix "1" followed by a space.
 # 2 - In the same output sequence, list all installed versions of this package with a prefix "2" followed by a space.

roles/sap_general_preconfigure/tasks/RedHat/generic/configure-selinux.yml

@@ -39,6 +39,7 @@
 - name: SELinux - Call Reboot handler if necessary
   ansible.builtin.command: /bin/true
   notify: __sap_general_preconfigure_reboot_handler
+  changed_when: false
   when: __sap_general_preconfigure_fact_selinux_mode != sap_general_preconfigure_selinux_state
 
 - name: Set or unset SELinux kernel parameter, RHEL 8 and RHEL 9
@@ -50,7 +51,7 @@
   block:
 
     - name: SELinux - Examine grub entries
-      ansible.builtin.shell: grubby --info=ALL | awk 'BEGIN{a=0;b=0}/^args/{a++}/selinux=0/{b++}END{print a, b}'
+      ansible.builtin.shell: set -o pipefail && grubby --info=ALL | awk 'BEGIN{a=0;b=0}/^args/{a++}/selinux=0/{b++}END{print a, b}'
       register: __sap_general_preconfigure_register_grubby_info_all_selinux
       check_mode: no
       changed_when: false

roles/sap_general_preconfigure/tasks/RedHat/generic/configure-tmpfs.yml

@@ -20,4 +20,5 @@
 - name: Trigger remounting if /dev/shm has not the expected size
   ansible.builtin.command: /bin/true
   notify: __sap_general_preconfigure_mount_tmpfs_handler
+  changed_when: false
   when: __sap_general_preconfigure_register_df_shm.stdout != sap_general_preconfigure_size_of_tmpfs_gb

roles/sap_general_preconfigure/tasks/RedHat/installation.yml

@@ -97,7 +97,8 @@
     - sap_general_preconfigure_set_minor_release
     - __sap_general_preconfigure_register_subscription_manager_release.stdout == ansible_distribution_version
 
-- name: Set the minor RHEL release
+# Reason for noqa: Finding out if the minor release has already been set would require one more task.
+- name: Set the minor RHEL release # noqa no-changed-when
   ansible.builtin.command: subscription-manager release --set="{{ ansible_distribution_version }}"
   when:
     - sap_general_preconfigure_set_minor_release
@@ -113,7 +114,8 @@
 #       Because the installation of an environment or package group is not guaranteed to avoid package updates,
 #       and because of bug 2011426 (for which the fix is not available in the RHEL 8.1 ISO image), a RHEL 8.1
 #       system might not boot after installing environment group Server.
-- name: Ensure that the required package groups are installed, RHEL 8 and RHEL 9 # noqa command-instead-of-module
+# Reason for noqa: Finding out if packages already are installed would require one more task.
+- name: Ensure that the required package groups are installed, RHEL 8 and RHEL 9 # noqa command-instead-of-module no-changed-when
   ansible.builtin.command: "yum install {{ sap_general_preconfigure_packagegroups | join(' ') }} --nobest --exclude=kernel* -y"
   register: __sap_general_preconfigure_register_yum_group_install
   when: ansible_distribution_major_version == '8' or ansible_distribution_major_version == '9'
@@ -144,6 +146,7 @@
 
 - name: Accept the license for the IBM Service and Productivity Tools
   ansible.builtin.shell: LESS=+q /opt/ibm/lop/configure <<<'y'
+  changed_when: true
   when:
     - ansible_architecture == "ppc64le"
     - sap_general_preconfigure_install_ibm_power_tools | d(true)
@@ -164,7 +167,8 @@
     - __sap_general_preconfigure_min_pkgs | d([])
   block:
 
-    - name: Create a list of minimum required package versions to be installed
+# Reason for noqa: We can safely fail at the last command in the pipeline.
+    - name: Create a list of minimum required package versions to be installed # noqa risky-shell-pipe
 # How does it work?
 # 1 - Print the required package name and version with a prefix "1" followed by a space.
 # 2 - In the same output sequence, list all installed versions of this package with a prefix "2" followed by a space.
@@ -275,4 +279,5 @@
 - name: Call Reboot handler if necessary
   ansible.builtin.command: /bin/true
   notify: __sap_general_preconfigure_reboot_handler
+  changed_when: false
   when: __sap_general_preconfigure_register_needs_restarting is failed

roles/sap_general_preconfigure/tasks/SLES/assert-installation.yml

@@ -17,7 +17,8 @@
     - __sap_general_preconfigure_min_pkgs | d([])
   block:
 
-    - name: Assert - Create a list of minimum required package versions to be installed
+# Reason for noqa: We can safely fail at the last command in the pipeline.
+    - name: Assert - Create a list of minimum required package versions to be installed # noqa risky-shell-pipe
 # How does it work?
 # 1 - Print the required package name and version with a prefix "1" followed by a space.
 # 2 - In the same output sequence, list all installed versions of this package with a prefix "2" followed by a space.

roles/sap_general_preconfigure/tasks/SLES/installation.yml

@@ -11,7 +11,8 @@
     - __sap_general_preconfigure_min_pkgs|d([])
   block:
 
-    - name: Create a list of minimum required package versions to be installed
+# Reason for noqa: We can safely fail at the last command in the pipeline.
+    - name: Create a list of minimum required package versions to be installed  # noqa risky-shell-pipe
 # How does it work?
 # 1 - Print the required package name and version with a prefix "1" followed by a space.
 # 2 - In the same output sequence, list all installed versions of this package with a prefix "2" followed by a space.
@@ -98,4 +99,5 @@
 - name: Call Reboot handler if necessary
   ansible.builtin.command: /bin/true
   notify: __sap_general_preconfigure_reboot_handler
+  changed_when: false
   when: __sap_general_preconfigure_register_needs_restarting is failed

roles/sap_ha_install_hana_hsr/meta/runtime.yml

@@ -1,2 +1,2 @@
 ---
-requires_ansible: '>=2.9.10'
+requires_ansible: '>=2.12.0'

roles/sap_ha_install_hana_hsr/tasks/configure_hsr.yml

@@ -49,6 +49,7 @@
   loop: "{{ sap_ha_install_hana_hsr_cluster_nodes }}"
   loop_control:
     label: "{{ item.node_name }}"
+  changed_when: true
 
 - name: "SAP HSR - Start HANA instance on secondary"
   ansible.builtin.shell: |

roles/sap_ha_install_hana_hsr/tasks/hdbuserstore.yml

@@ -2,6 +2,7 @@
 # ansible-lint:
 # become_user string is deduced from a variable + suffix with no spaces
 - name: "SAP HSR - Check if hdbuserstore exists"
+  become: true
   become_user: "{{ sap_ha_install_hana_hsr_sid | lower }}adm"
   ansible.builtin.command: |
     /usr/sap/{{ sap_ha_install_hana_hsr_sid }}/SYS/exe/hdb/hdbuserstore \
@@ -15,10 +16,12 @@
 # ansible-lint:
 # become_user string is deduced from a variable + suffix with no spaces
 - name: "SAP HSR - Create and Store Connection Info in hdbuserstore"
+  become: true
   become_user: "{{ sap_ha_install_hana_hsr_sid | lower }}adm"
   ansible.builtin.command: |
     /usr/sap/{{ sap_ha_install_hana_hsr_sid }}/SYS/exe/hdb/hdbuserstore \
     SET {{ sap_ha_install_hana_hsr_hdbuserstore_system_backup_user }} \
     {{ ansible_hostname }}:3{{ sap_ha_install_hana_hsr_instance_number }}13 \
     SYSTEM '{{ sap_ha_install_hana_hsr_db_system_password }}'
   when: sap_ha_install_hana_hsr_hdbuserstore.rc != '0'
+  changed_when: true

roles/sap_ha_install_hana_hsr/tasks/log_mode.yml

@@ -24,3 +24,4 @@
     EOF
   ignore_errors: true
   when: sap_ha_install_hana_hsr_log_mode.rc != '0'
+  changed_when: true

roles/sap_ha_install_hana_hsr/tasks/pki_files.yml

@@ -5,6 +5,8 @@
 # control node.
 
 - name: "SAP HSR - Direct connection handling to primary"
+  become: true
+  become_user: "{{ sap_ha_install_hana_hsr_sid | lower }}adm"
   block:
 
     - name: "SAP HSR - Create .ssh if missing"
@@ -123,6 +125,3 @@
         - __sap_ha_install_hana_hsr_create_ssh_prim.changed is defined
         - __sap_ha_install_hana_hsr_create_ssh_prim.changed
       delegate_to: "{{ __sap_ha_install_hana_hsr_primary_node }}"
-
-  become: true
-  become_user: "{{ sap_ha_install_hana_hsr_sid | lower }}adm"

roles/sap_ha_pacemaker_cluster/README.md

@@ -421,7 +421,7 @@ Mandatory for the cluster setup on IBM Cloud Virtual Server instances or IBM Pow
 - _Type:_ `string`
 
 IBM Power Virtual Server API Endpoint type (public or private) dependent on network interface attachments for the target instances.<br>
-['Mandatory for the cluster setup on IBM Power Virtual Server from IBM Cloud.']<br>
+Mandatory for the cluster setup on IBM Power Virtual Server from IBM Cloud.<br>
 
 ### sap_ha_pacemaker_cluster_ibmcloud_powervs_forward_proxy_url
 

roles/sap_ha_pacemaker_cluster/defaults/main.yml

@@ -202,6 +202,9 @@ sap_ha_pacemaker_cluster_nwas_sys_filesystem_resource_name: "Filesystem_NWAS_SYS
 # Set this parameter to "true" to configure the 3 shared filesystems as part of the cluster.
 sap_ha_pacemaker_cluster_nwas_shared_filesystems_cluster_managed: false
 
+# SAP NetWeaver resource group names as convenience parameters
+sap_ha_pacemaker_cluster_vip_nwas_abap_ascs_resource_group_name: "{{ sap_ha_pacemaker_cluster_nwas_abap_sid }}_ASCS{{ sap_ha_pacemaker_cluster_nwas_abap_ascs_instance_nr }}_group"
+sap_ha_pacemaker_cluster_vip_nwas_abap_ers_resource_group_name: "{{ sap_ha_pacemaker_cluster_nwas_abap_sid }}_ERS{{ sap_ha_pacemaker_cluster_nwas_abap_ers_instance_nr }}_group"
 
 ################################################################################
 # ASCS resource defaults

roles/sap_ha_pacemaker_cluster/meta/argument_specs.yml

@@ -495,6 +495,15 @@ argument_specs:
         description:
           - Change this parameter to 'true' if the 3 shared filesystems `/usr/sap/trans`, `/usr/sap/<SID>/SYS` and '/sapmnt' shall be configured as cloned cluster resources.
 
+      sap_ha_pacemaker_cluster_vip_nwas_abap_ascs_resource_group_name:
+        default: <SID>_ASCS<ASCS-instance-number>_group
+        description:
+          - Name of the NetWeaver ASCS resource group.
+
+      sap_ha_pacemaker_cluster_vip_nwas_abap_ers_resource_group_name:
+        default: <SID>_ERS<ERS-instance-number>_group
+        description:
+          - Name of the NetWeaver ERS resource group.
 
       ##########################################################################
       # NetWeaver ASCS specific parameters
@@ -661,7 +670,7 @@ argument_specs:
       sap_ha_pacemaker_cluster_ibmcloud_powervs_api_type:
         description:
           - IBM Power Virtual Server API Endpoint type (public or private) dependent on network interface attachments for the target instances.
-          - - Mandatory for the cluster setup on IBM Power Virtual Server from IBM Cloud.
+          - Mandatory for the cluster setup on IBM Power Virtual Server from IBM Cloud.
 
       sap_ha_pacemaker_cluster_ibmcloud_powervs_forward_proxy_url:
         description: