This change allows the following use cases:
1. Using an already-configured MariaDB / MySQL server / Cluster
2. Using already-created DB users, without requiring root DB access.
Update: added external mariadb precheck
Change-Id: I78b0d178306d7c5293b0bf53e445f19f18b4b824
Implements: blueprint external-mariadb-support.
Closes-Bug: #1603121
through the database_address has beed defined in groups_vars/all.yml, we should
better use it, this way, if we want to use external database, we just need to
redefined in all.yml
refer to https://github.com/openstack/kolla-ansible/blob/master/ansible/group_vars/all.yml#L83
Co-Authored-By: chenqiaomin <chen.qiaomin@99cloud.net>
Change-Id: Ie559301451954e16347ceaabf02f594c5c5cbe56
Provide support fot kolla dev mode in Keystone. When
'kolla_dev_mode' or 'keystone_dev_mode' variables are
enabled, source code of Keystone project is cloned
and bindmounted.
Partially implements: blueprint mount-sources
Change-Id: Ie4cf401ecd9a507e739a53dfdf16f65292ab57e5
This commit separates the messaging rpc and notify transports in order
to support separate and different oslo.messaging backends
This patch:
* add rpc and notify variables
* update service role conf templates
* add example to globals.yaml
* add release note
Implements: blueprint hybrid-messaging
Change-Id: I34691c2895c8563f1f322f0850ecff98d11b5185
1- Expand and migrate database in first keystone node
2- Upgrade all nodes sequentially along with updation of each node's
configuration file with latest release version
3- Last keystone node, contract database
With this patch, there is small downtime when all containers are
restarted. It will be fixed in other patch.
[1] http://docs.openstack.org/developer/keystone/upgrading.html#upgrading-without-downtime
Co-Authored-By: Surya Prakash Singh <surya.singh@nectechnologies.in>
Co-Authored-By: Eduardo Gonzalez <dabarren@gmail.com>
Co-Authored-By: Duong Ha-Quang <duonghq@vn.fujitsu.com>
Partially-Implements: blueprint ks-rolling-upgrade-role
Change-Id: I2159af567c40848840ff5e483e7d1f6de760b435
Add become to only neccesary tasks in roles:
- glance
- heat
- horizon
- keystone
- neutron
- nova
- openvswitch
Gate is also updated to use 'become' feature
Change-Id: I2f3f27306e9f384148e1ad4d54d8da2ebef34d00
Partial-Implements: blueprint ansible-specific-task-become
When deploying with tls enabled in public
endpoints, ansible modules fails due SSL certificates
are self-signed.
This change adds a new variable to allow customization
on which endpoints ansible should connect.
Defaults to admin because admin auth parameters defaults
to admin endpoint.
Change-Id: Ic3ed58cf9c9579cae08a11bbfe6fce983b5a9cbc
Closes-Bug: #1720995
Actually Openstack services configuration can be overriden using many
files:
- /etc/kolla/config/<< service name >>/<< config file >>
- /etc/kolla/config/<< service name >>/<<host>>/<< config file >>
- /etc/kolla/config/global.conf
- /etc/kolla/config/database.conf
- /etc/kolla/config/messaging.conf
Only per-service configuration is actually documented here:
https://github.com/openstack/kolla-ansible/blob/master/doc/advanced-configuration.rst#L164
Allowing to globally modify service configuration can be perform too,
but it can be done in 3 different manners, all not documented:
- /etc/kolla/config/global.conf
- /etc/kolla/config/database.conf
- /etc/kolla/config/messaging.conf
database.conf and messaging.conf seems redundant with global.conf.
In order to simplify codebase it seems logical to remove them.
Documentation has been added for overriding configuration globally and
release note has been added too.
Closes-Bug: #1682479
Change-Id: I5d922dfc0d938173bad34ac64e490b78db1b7e31
Init fernet task fails if keystone_fernet container
is not running and ssh port bind.
This change add a check to ensure all keystone_fernet containers
are running before init fernet tokens.
Change-Id: Ib95bb5a47a9174f1a00b82cc8b697c0dc19c848e
Closes-Bug: #1704758
adding cors section to keystone and gnocchi templates when
grafana is enabled
Change-Id: I54f4c06ed64254df0f9481e461c9393a399212a3
Closes-bug: #1651796
Trace method is enabled in default for httpd. There is security risk
with trace enabled. So disable it in default. more info please check[0].
[0] https://security.stackexchange.com/a/7711
Change-Id: I4496a6d058d88e1abfb210085f189e7a610e0362
Closes-Bug: #1705160
kolla-kubernetes is using its own configuration generation[0], so it is
time for kolla-ansible to remove the related code to simplify the
logical.
[0] https://github.com/openstack/kolla-kubernetes/tree/master/ansible
Change-Id: I7bb0b7fe3b8eea906613e936d5e9d19f4f2e80bb
Implements: blueprint clean-k8s-config
In ansible 2.3.1, conditional statement should not include jinja2
templating delimiters (e.g. {{ ). So, this change removes the
delimiters from when statemant, and also removes unnesessary
parentheses from until statement.
Closes-Bug: 1702607
Change-Id: I071ffd5ba6175ee1bc61719a84b805c022753459
In order to speed up deployment time some "local" actions should be run
only once using 'run_once: True'.
This will decrease deployment time in case of multihost configuration.
Change-Id: I6015d772d35c15e96c52f577013b6e41197cb41a
Some roles have a symlink to deploy.yml file
for reconfigure. This is causing some issues.
"included task files must contain a list of tasks"
Change-Id: Ie7ade52900a61bc1c5b867fa7a8f75fc541a6426
Closes-Bug: #1694251
No handler named "Restart keystone containers", and we should restart
the keystone and the keystone-fernet container according to the context
Closes-Bug: #1699924
Change-Id: I62512dc022426cc762ff603d8554e48651fa621f
Sometimes Ansible is faster running tasks that haproxy tagging Keystone
services as UP. Keystone bootstrap uses SQL directly but the default
user role creation requires the API, and because of that it may fail.
Retry in case the backend is not yet available.
Change-Id: I9dfc030bbf92ca0a3dcb008d55e9fa2055f900ec
Closes-Bug: 1699096
Ansible task support vars directive, no need implement another one in
merge_config. This patch remove the vars directive in merge_config
action plugin.
Change-Id: I33648a2b6e39b4d49ce76eb66fbf2522721f8c68
keystone-paste.ini file is introduced by
I3a3ca2e74c0ae341105d3481f97956c6da473046 for a security risk of
admin_token_auth middleware. Now this middleware is removed by
I57586ccfa0ad1309cc806d95377dc1ecad015914. So it is safe to use upstream
keystone-paste.ini file.
This patch also keep custom paste file feature. Just put the file to
/etc/kolla/config/keystone/keyston-paste.ini path.
Closes-Bug: #1695023
Partially-Implements: blueprint custom-paste
Change-Id: Ieb983b6a9edb6a156928f6b56a4bd2dbed4281e2
[WARNING]: when statements should not include jinja2 templating
delimiters such as {{ }} or {% %}. Found: {{
(keystone_bootstrap.stdout | from_json).changed }}
Closes-Bug: #1689550
Change-Id: Ib6fdbcde02319011b072990f06fbd5e74b8d2d93
In case Kolla's users want to deploy with both of
binary and source image, we should have a variable
install type that define install type for each project.
We also add specific image tag for each Openstack project.
This commit is implemented for Ironic, Kabor,
Keystone project and iscsi as well.
Change-Id: I134d840b1c0e24171a32dec0c7daa6dc2e9ecd87
Implements: blueprint mixing-binary-and-source-image
Many of the templates use 600, remove unnecessary permission
on these templates to bring them in line with the others.
Change-Id: I30fe1b3822b9c7bb6ab98729fc519dc1d603db27
wait_for module waits 300 seconds for the port started or stopped. This
is meaningless and useless in precheck. This patch change timeout to 1
seconds.
Change-Id: I9b251ec4ba17ce446655917e8ef5e152ef947298
Closes-Bug: #1688152
The current module 'kolla_sanity' was written as a shim before full
shade support was added to Ansible. This should now no longer be needed,
we can implement the checks using Ansible provided modules.
Begin by updating the Keystone check to use 'os_auth' to fetch a token,
I think this is a good basic smoke test to verify Keystone is working.
Change-Id: I16049d9201fd8138c781ef2e1e0c1827ea817259
Partially-implements: blueprint sanity-check-container
