1591 Commits

Author SHA1 Message Date
Zuul
ce0a7a5070 Merge "Support Prometheus as metrics database for Ceilometer" 2022-03-22 17:48:12 +00:00
Zuul
411c05c2f4 Merge "Ironic: rebootstrap ironic-pxe on upgrade" 2022-03-22 17:39:58 +00:00
Will Szumski
3ca805041b Enable memcached backend for mod_auth_openidc
Change-Id: Ie87a7488dad369464793b47c3d2db67d7dc1694e
2022-03-22 16:29:43 +00:00
Radosław Piliszek
1db06b3277 Ironic: rebootstrap ironic-pxe on upgrade
Like other containers.

This ensures that upgrade already updates PXE components and no
additional deploy/reconfigure is needed.

Closes-Bug: #1963752
Change-Id: I368780143086bc5baab1556a5ec75c19950d5e3c
2022-03-21 14:55:14 +00:00
Juan Pablo Suazo
6cf03122ee Support Prometheus as metrics database for Ceilometer
This commit adds support for pushing Ceilometer metrics
to Prometheus instead of Gnocchi or alongside it.


Closes-Bug: #1964135
Signed-off-by: Juan Pablo Suazo <jsuazo@whitestack.com>
Change-Id: I9fd32f63913a534c59e2d17703702074eea5dd76
2022-03-21 14:20:02 +00:00
Mark Goddard
80b311bef7 libvirt: add nova-libvirt-cleanup command
Change Ia1239069ccee39416b20959cbabad962c56693cf added support for
running a libvirt daemon on the host, rather than using the nova_libvirt
container. It did not cover migration of existing hosts from using a
container to using a host daemon.

This change adds a kolla-ansible nova-libvirt-cleanup command which may
be used to clean up the nova_libvirt container, volumes and related
items on hosts, once it has been disabled.

The playbook assumes that compute hosts have been emptied of VMs before
it runs. A future extension could support migration of existing VMs, but
this is currently out of scope.

Change-Id: I46854ed7eaf1d5b5e3ccd8531c963427848bdc99
2022-03-21 11:54:54 +00:00
Mark Goddard
4e41acd8f0 libvirt: make it possible to run libvirt on the host
In some cases it may be desirable to run the libvirt daemon on the host.
For example, when mixing host and container OS distributions or
versions.

This change makes it possible to disable the nova_libvirt container, by
setting enable_nova_libvirt_container to false. The default values of
some Docker mounts and other paths have been updated to point to default
host directories rather than Docker volumes when using a host libvirt
daemon.

This change does not handle migration of existing systems from using
a nova_libvirt container to libvirt on the host.

Depends-On: https://review.opendev.org/c/openstack/ansible-collection-kolla/+/830504

Change-Id: Ia1239069ccee39416b20959cbabad962c56693cf
2022-03-21 11:54:31 +00:00
Zuul
ed148cd8dd Merge "[external-ceph] Use template instead of copy" 2022-03-19 00:04:33 +00:00
Imran Hussain
4c221be86e [external-ceph] Use template instead of copy
Consistently use template instead of copy. This has the added
advantage of allowing variables inside ceph conf files and keyrings.

Closes-Bug: 1959565

Signed-off-by: Imran Hussain <ih@imranh.co.uk>
Change-Id: Ibd0ff2641a54267ff06d3c89a26915a455dff1c1
2022-03-18 15:09:30 +00:00
Zuul
6c04445c7b Merge "cinder: restart services after upgrade" 2022-03-18 13:47:31 +00:00
Zuul
25fd28598b Merge "Ironic: Avoid setting deprecated pxe_append_params" 2022-03-18 13:37:59 +00:00
Zuul
3a9597fc37 Merge "ADD venus for kolla-ansible" 2022-03-18 13:10:21 +00:00
jinyuanliu
3ccb176f13 ADD venus for kolla-ansible
This project [1] can provide a one-stop solution to log collection,
cleaning, indexing, analysis, alarm, visualization, report generation
and other needs, which involves helping operator or maintainer to
quickly solve retrieve problems, grasp the operational health of the
platform, and improve the level of platform management.

[1] https://wiki.openstack.org/wiki/Venus

Change-Id: If3562bbed6181002b76831bab54f863041c5a885
2022-03-17 20:35:08 +08:00
Zuul
668fecf397 Merge "Adds etcd endpoints as a Prometheus scrape target" 2022-03-16 17:55:00 +00:00
Mark Goddard
d2d4b53d47 libvirt: support SASL authentication
In Kolla Ansible OpenStack deployments, by default, libvirt is
configured to allow read-write access via an unauthenticated,
unencrypted TCP connection, using the internal API network.  This is to
facilitate migration between hosts.

By default, Kolla Ansible does not use encryption for services on the
internal network (and did not support it until Ussuri). However, most
other services on the internal network are at least authenticated
(usually via passwords), ensuring that they cannot be used by anyone
with access to the network, unless they have credentials.

The main issue here is the lack of authentication. Any client with
access to the internal network is able to connect to the libvirt TCP
port and make arbitrary changes to the hypervisor. This could include
starting a VM, modifying an existing VM, etc. Given the flexibility of
the domain options, it could be seen as equivalent to having root access
to the hypervisor.

Kolla Ansible supports libvirt TLS [1] since the Train release, using
client and server certificates for mutual authentication and encryption.
However, this feature is not enabled by default, and requires
certificates to be generated for each compute host.

This change adds support for libvirt SASL authentication, and enables it
by default. This provides base level of security. Deployments requiring
further security should use libvirt TLS.

[1] https://docs.openstack.org/kolla-ansible/latest/reference/compute/libvirt-guide.html#libvirt-tls

Depends-On: https://review.opendev.org/c/openstack/kolla/+/833021
Closes-Bug: #1964013
Change-Id: Ia91ceeb609e4cdb144433122b443028c0278b71e
2022-03-10 16:57:16 +00:00
Zuul
da476a7fea Merge "Explicitly unset net.ipv4.ip_forward sysctl" 2022-03-09 15:40:32 +00:00
Zuul
02a3cbcde3 Merge "Make cron logfile minsize,maxsize configurable" 2022-03-08 16:33:27 +00:00
Nathan Taylor
0f2794a075 Adds etcd endpoints as a Prometheus scrape target
Add "enable_prometheus_etcd_integration" configuration parameter which
can be used to configure Prometheus to scrape etcd metrics endpoints.
The default value of "enable_prometheus_etcd_integration" is set to
the combined values of "enable_prometheus" and "enable_etcd".

Change-Id: I7a0b802c5687e2d508e06baf55e355d9761e806f
2022-03-08 08:42:19 -07:00
Mark Goddard
caf33be54b Explicitly unset net.ipv4.ip_forward sysctl
While I8bb398e299aa68147004723a18d3a1ec459011e5 stopped setting
the net.ipv4.ip_forward sysctl, this change explicitly removes the
option from the Kolla sysctl config file. In the absence of another
source for this sysctl, it should revert to the default of 0 after the
next reboot.

A deployer looking to more aggressively change the value may set
neutron_l3_agent_host_ipv4_ip_forward to 0. Any deployments still
relying on the previous value may set
neutron_l3_agent_host_ipv4_ip_forward to 1.

Related-Bug: #1945453

Change-Id: I9b39307ad8d6c51e215fe3d3bc56aab998d218ec
2022-03-07 17:31:46 +00:00
Radosław Piliszek
87f7586340 Ironic: Avoid setting deprecated pxe_append_params
Set kernel_append_params instead.

Change-Id: I4fb42d376636dc363cd86950ed37de4a3d28df73
2022-03-04 18:11:43 +01:00
Zuul
68bc4f8f52 Merge "Enable Ironic iPXE support by default" 2022-03-03 16:40:09 +00:00
Zuul
44517dd7b7 Merge "Add Rocky Linux support as Host OS" 2022-03-03 15:45:35 +00:00
Zuul
5dc04b9f47 Merge "rabbitmq: add node parameter in rabbitmq_user call" 2022-03-03 12:47:03 +00:00
Michal Nasiadka
7080ccfc3d Add Rocky Linux support as Host OS
Depends-On: https://review.opendev.org/c/openstack/ansible-collection-kolla/+/831642
Change-Id: I70dcd2d0cade52a23b3e219b7e0aaa31193ec938
2022-03-03 09:59:16 +00:00
IDerr
38729dc39c rabbitmq: add node parameter in rabbitmq_user call
Change-Id: I4cf48620f03d67ea4a9ef327afbf3b1ebe28550b
Closes-Bug: #1946506
2022-03-02 12:57:42 +00:00
Zuul
09db789a65 Merge "Fix hard coded OIDC response type" 2022-02-28 13:42:17 +00:00
Radosław Piliszek
baeca81a43 Enable Ironic iPXE support by default
Ironic has changed the default PXE to be iPXE (as opposed to plain
PXE) in Yoga. Kolla Ansible supports either one or the other and
we tend to stick to upstream defaults so this change enables
iPXE instead of plain PXE - by default - the users are allowed
to change back and they need to take one other action so it is
good to remind them via upgrade notes either way.

Change-Id: If14ec83670d2212906c6e22c7013c475f3c4748a
2022-02-25 23:02:42 +01:00
Zuul
5e58d6d502 Merge "Add openvswitch and prometheus to logrotate" 2022-02-24 10:37:34 +00:00
Juan Pablo Suazo
80ee3f2e5c Add openvswitch and prometheus to logrotate
Closes-Bug: #1961795

Change-Id: I5547cce5c389846ed216bb898b78e45b8f231e1e
2022-02-24 08:03:17 +00:00
Zuul
6e267aed1d Merge "Remove classic queue mirroring for internal RabbitMQ" 2022-02-23 11:43:26 +00:00
Piotr Parczewski
d32197271f Fix hard coded OIDC response type
Closes-bug: 1959781
Change-Id: If574d2242aa6a875dcf624d95495e6cec6fefddd
2022-02-23 10:57:33 +01:00
Mark Goddard
a6768dd33b Fix location of release note for ironic-neutron-agent healthcheck
TrivialFix

Change-Id: Id85a5d69e1222b616705e24885252425c92af527
2022-02-22 12:12:00 +00:00
Zuul
d25d490e4d Merge "cloudkitty: fix URL used for Prometheus collector" 2022-02-22 09:07:51 +00:00
Zuul
0ed32c82b9 Merge "ironic: sync default inspection UEFI iPXE bootloader with Ironic" 2022-02-21 21:35:58 +00:00
Zuul
63706667e1 Merge "Add support for deploying Prometheus libvirt exporter" 2022-02-21 21:35:55 +00:00
Doug Szumski
6bfe1927f0 Remove classic queue mirroring for internal RabbitMQ
When OpenStack is deployed with Kolla-Ansible, by default there
are no durable queues or exchanges created by the OpenStack
services in RabbitMQ. In Rabbit terminology, not being durable
is referred to as `transient`, and this means that the queue
is generally held in memory.

Whether OpenStack services create durable or transient queues is
traditionally controlled by the Oslo Notification config option:
`amqp_durable_queues`. In Kolla-Ansible, this remains set to
the default of `False` in all services. The only `durable`
objects are the `amq*` exchanges which are internal to RabbitMQ.

More recently, Oslo Notification has introduced support for
Quorum queues [7]. These are a successor to durable classic
queues, however it isn't yet clear if they are a good fit for
OpenStack in general [8].

For clustered RabbitMQ deployments, Kolla-Ansible configures all
queues as `replicated` [1]. Replication occurs over all nodes
in the cluster. RabbitMQ refers to this as 'mirroring of classic
queues'.

In summary, this means that a multi-node Kolla-Ansible deployment
will end up with a large number of transient, mirrored queues
and exchanges. However, the RabbitMQ documentation warns against
this, stating that 'For replicated queues, the only reasonable
option is to use durable queues: [2]`. This is discussed
further in the following bug report: [3].

Whilst we could try enabling the `amqp_durable_queues` option
for each service (this is suggested in [4]), there are
a number of complexities with this approach, not limited to:

1) RabbitMQ is planning to remove classic queue mirroring in
   favor of 'Quorum queues' in a forthcoming release [5].
2) Durable queues will be written to disk, which may cause
   performance problems at scale. Note that this includes
   Quorum queues which are always durable.
3) Potential for race conditions and other complexity
   discussed recently on the mailing list under:
   `[ops] [kolla] RabbitMQ High Availability`

The remaining option, proposed here, is to use classic
non-mirrored queues everywhere, and rely on services to recover
if the node hosting a queue or exchange they are using fails.
There is some discussion of this approach in [6]. The downside
of potential message loss needs to be weighed against the real
upsides of increasing the performance of RabbitMQ, and moving
to a configuration which is officially supported and hopefully
more stable. In the future, we can then consider promoting
specific queues to quorum queues, in cases where message loss
can result in failure states which are hard to recover from.

[1] https://www.rabbitmq.com/ha.html
[2] https://www.rabbitmq.com/queues.html
[3] https://github.com/rabbitmq/rabbitmq-server/issues/2045
[4] https://wiki.openstack.org/wiki/Large_Scale_Configuration_Rabbit
[5] https://blog.rabbitmq.com/posts/2021/08/4.0-deprecation-announcements/
[6] https://fuel-ccp.readthedocs.io/en/latest/design/ref_arch_1000_nodes.html#replication
[7] https://bugs.launchpad.net/oslo.messaging/+bug/1942933
[8] https://www.rabbitmq.com/quorum-queues.html#use-cases

Partial-Bug: #1954925
Change-Id: I91d0e23b22319cf3fdb7603f5401d24e3b76a56e
2022-02-21 18:54:04 +00:00
Pierre Riteau
b36c91b684 cloudkitty: fix URL used for Prometheus collector
The Prometheus HTTP API is reachable under /api/v1. Without this fix,
CloudKitty receives 404 errors from Prometheus.

Change-Id: Ie872da5ccddbcb8028b8b57022e2427372ed474e
2022-02-21 18:06:13 +01:00
Zuul
83fa907961 Merge "Add support for VMware First Class Disk (FCD)" 2022-02-21 11:07:00 +00:00
Pierre Riteau
b210dcd6e2 Configure node-exporter to report correct file system metrics
Without this configuration, all mount points are reporting the same
utilisation metrics [1]. With the rslave option, all root mounts from
the host are visible in the container, so we can remove the bind mounts
for /proc and /sys.

[1] https://github.com/prometheus/node_exporter#docker

Change-Id: I4087dc81f9d1fa5daa24b9df6daf1f9e1ccd702f
Closes-Bug: #1961438
2022-02-18 18:36:22 +01:00
Zuul
b668e27356 Merge "Add support for VMware NSXP" 2022-02-18 12:04:41 +00:00
alecorps
812e03f75e Add support for VMware First Class Disk (FCD)
An FCD, also known as an Improved Virtual Disk (IVD) or
Managed Virtual Disk, is a named virtual disk independent of
a virtual machine. Using FCDs for Cinder volumes eliminates
the need for shadow virtual machines.
This patch adds Kolla support.

Change-Id: Ic0b66269e6d32762e786c95cf6da78cb201d2765
2022-02-18 11:15:14 +00:00
Pierre Riteau
dcba829792 Allow to define extra parameters for Prometheus exporters
The following variables are added:

* prometheus_blackbox_exporter_cmdline_extras
* prometheus_elasticsearch_exporter_cmdline_extras
* prometheus_haproxy_exporter_cmdline_extras
* prometheus_memcached_exporter_cmdline_extras
* prometheus_mysqld_exporter_cmdline_extras
* prometheus_node_exporter_cmdline_extras
* prometheus_openstack_exporter_cmdline_extras

Change-Id: I5da2031b9367115384045775c515628e2acb1aa4
2022-02-18 10:12:22 +01:00
Alban Lecorps
458c8b13df Add support for VMware NSXP
NSXP is the OpenStack support for the NSX Policy platform.
This is supported from neutron in the Stein version. This patch
adds Kolla support

This adds a new neutron_plugin_agent type 'vmware_nsxp'. The plugin
does not run any neutron agents.

Change-Id: I9e9d8f07e586bdc143d293e572031368af7f3fca
2022-02-17 08:59:14 +00:00
Zuul
facd64ef26 Merge "[haproxy] optionally set socket to allow admin commands" 2022-02-16 00:33:06 +00:00
Will Szumski
033db44f1c Adds prometheus_scrape_interval
Grafana requires the scrape interval to be set to be able to compute
$__rate_interval. The default is 15s which does not match the kolla
default of 60s. The symptom of not setting this is that you will see
"no data" when zooming graphs that use rate queries. This occurs as the
interval will be set to a period shorter than the scrape interval.
The recommendation is that you use a common scrape interval for all
jobs. See:

- https://grafana.com/blog/2020/09/28/new-in-grafana-7.2-__rate_interval-for-prometheus-rate-queries-that-just-work/
- https://stackoverflow.com/questions/66369969/set-scrape-interval-in-provisioned-prometheus-data-source-in-grafana

Change-Id: I7e5c1e20c7b66b64cbd333f669ef8d8da60daaa8
2022-02-14 11:10:44 +00:00
Pierre Riteau
50edb94ded neutron: fix placement endpoint type configuration
Change-Id: I3362bd283eb7fb80f5da70f2a388f89f220617ea
Closes-Bug: #1960503
2022-02-10 13:14:32 +01:00
Mark Goddard
556d979930 ironic: sync default inspection UEFI iPXE bootloader with Ironic
The bootloader used to boot Ironic nodes in UEFI boot mode during
inspection when iPXE is enabled has been changed from ipxe.efi to
snponly.efi. This is in line with the default UEFI iPXE bootloader used
in Ironic since the Xena release. The bootloader may be changed via
ironic_dnsmasq_uefi_ipxe_boot_file.

Note that snponly.efi was not available via in the ironic-pxe image
prior to I79e78dca550262fc86b092a036f9ea96b214ab48.

Related-Bug: #1959203

Change-Id: I879db340769cc1b076e77313dff15876e27fcac4
2022-02-10 11:46:54 +00:00
Zuul
9fcbbfad75 Merge "Fix Apparmor libvirt profile removal" 2022-02-10 10:36:06 +00:00
Imran Hussain
f4bfab57bd [haproxy] optionally set socket to allow admin commands
Allow operators to set haproxy socket to admin level.
This is done via the flag haproxy_socket_level_admin which
is set to "no" by default.

Closes-Bug: 1960215

Signed-off-by: Imran Hussain <ih@imranh.co.uk>
Change-Id: Ia0da89288d68f5803ace1934c013053f12343195
2022-02-09 17:21:18 +00:00
Zuul
211c34b40e Merge "Glance: add lock_path setting" 2022-02-08 17:24:15 +00:00