1591 Commits

Author SHA1 Message Date
Zuul
bd6ca6b286 Merge "Do not enable mariadb-clustercheck when not needed" 2021-10-05 10:03:53 +00:00
Zuul
059ace7136 Merge "Switch default images source to quay.io" 2021-10-05 10:03:51 +00:00
Radosław Piliszek
15259002be Do not load br_netfilter
Nor set related sysctls.
More details in the reno.

Change-Id: I898548ecc6df3caa094c3222159b7ba1e16dc211
Closes-Bug: #1945789
2021-10-01 13:23:54 +00:00
Mark Goddard
1d0171fc70 monasca: change default of monasca_ntp_server
Updates the default value of 'monasca_ntp_server' from
'external_ntp_servers[0]' to '0.pool.ntp.org'.  This is due to the
removal of the 'external_ntp_servers' variable as part of the removal of
Chrony deployment.

Change-Id: I2e7538a2e95c7b8e9280eb051ee634b4313db129
2021-10-01 14:07:56 +01:00
wu.chunyang
1f71df1a8b Remove chrony role from kolla
chrony is not supported in Xena cycle, remove it from kolla

Moved tasks from chrony role to chrony-cleanup.yml playbook to avoid a
vestigial chrony role.

Co-Authored-By: Mark Goddard <mark@stackhpc.com>

Change-Id: I5a730d55afb49d517c85aeb9208188c81e2c84cf
2021-09-30 18:56:14 +02:00
Zuul
bfba65f286 Merge "Add support for Ceph RadosGW integration" 2021-09-30 16:06:48 +00:00
Zuul
2e9d9148f6 Merge "Deploy source type images by default" 2021-09-30 14:30:34 +00:00
Mark Goddard
8c5012e940 Add support for Ceph RadosGW integration
* Register Swift-compatible endpoints in Keystone
* Load balance across RadosGW API servers using HAProxy

The support is exercised in the cephadm CI jobs, but since RGW is
not currently enabled via cephadm, it is not yet tested.

https://docs.ceph.com/en/latest/radosgw/keystone/

Implements: blueprint ceph-rgw

Change-Id: I891c3ed4ed93512607afe65a42dd99596fd4dbf9
2021-09-30 13:08:13 +00:00
Zuul
9e380bf11c Merge "Transition Keystone admin user to system scope" 2021-09-30 09:33:10 +00:00
Mark Goddard
66c84843e4 Deploy source type images by default
Source images get the most test coverage, so it makes sense to deploy
these by default.

Change-Id: I8d0c8750e2c1600e84cc2e677a4eae0e9f502dac
2021-09-30 08:07:48 +00:00
Radosław Piliszek
1bfed045cf Do not set net.ipv4.ip_forward sysctl
To prevent a security issue.
More details in the reno.

Change-Id: I8bb398e299aa68147004723a18d3a1ec459011e5
Closes-Bug: #1945453
2021-09-29 15:19:12 +00:00
Niklas Hagman
2e933dceb5 Transition Keystone admin user to system scope
A system-scoped token implies the user has authorization to act on the
deployment system. These tokens are useful for interacting with
resources that affect the deployment as a whole, or exposes resources
that may otherwise violate project or domain isolation.

Since Queens, the keystone-manage bootstrap command assigns the admin
role to the admin user with system scope, as well as in the admin
project. This patch transitions the Keystone admin user from
authenticating using project scoped tokens to system scoped tokens.
This is a necessary step towards being able to enable the updated oslo
policies in services that allow finer grained access to system-level
resources and APIs.

An etherpad with discussion about the transition to the new oslo
service policies is:

https://etherpad.opendev.org/p/enabling-system-scope-in-kolla-ansible

Change-Id: Ib631e2211682862296cce9ea179f2661c90fa585
Signed-off-by: Niklas Hagman <ubuntu@post.blinkiz.com>
2021-09-28 09:45:06 -07:00
Zuul
56938253a7 Merge "Add way to change weight of haproxy backend per service" 2021-09-28 12:22:55 +00:00
Radosław Piliszek
2c6bc0bd1a Do not create haproxy and swift log dirs needlessly
Closes-Bug: #1945070
Change-Id: I1b2a82b57cb9884b6c3c3ad07f6449ae29042a3d
2021-09-27 16:01:47 +00:00
Zuul
f7d5cebce2 Merge "Use mariadb_tag as default for all mariadb tags" 2021-09-27 10:51:39 +00:00
Michal Arbet
7c2b4bead2 Add way to change weight of haproxy backend per service
This patch adding option to control weight of haproxy
backends per service via host variable.

Example:

[control]
server1 haproxy_nova_api_weight=10
server2 haproxy_nova_api_weight=2 haproxy_keystone_internal_weight=10
server3 haproxy_keystone_admin_weight=50

If weight is not defined, everything is working as before.

Change-Id: Ie8cc228198651c57f8ffe3eb060875e45d1f0700
2021-09-26 09:43:57 +02:00
Zuul
d85af34ccd Merge "Bump up Ansible max supported ver to 4.x" 2021-09-24 16:43:01 +00:00
Zuul
59e6688a0c Merge "Add check and diff options to kolla-ansible" 2021-09-24 16:30:46 +00:00
Zuul
3101c5abc3 Merge "Skip setting rp_filter by default" 2021-09-23 19:14:55 +00:00
Michał Nasiadka
1b650534c0 Bump up Ansible max supported ver to 4.x
This change bumps up max supported Ansible version
to 4.x (ansible-core 2.11.x) and minimum to 2.10.

Change-Id: I8b9212934dfab3831986e8db55671baee32f4bbd
2021-09-23 10:45:31 +00:00
Piotr Parczewski
4ff65b7661 Use friendly target names in Prometheus
Change-Id: I16fdb2f93ddb656eeacd3f2b84190f9bdcfaa21c
2021-09-22 11:09:32 +02:00
Michal Arbet
0e720b382b Add check and diff options to kolla-ansible
This patch is adding --check and --diff options
to kolla-ansible, which cause that kolla-ansible
run will be more verbose and able to run in
semi dry-run mode.

The --diff option for kolla-ansible can be used alone or
with --check. When you run in diff mode, any module that
supports diff mode reports the changes made or, if used
with --check, the changes that would have been made.
Diff mode is most common in modules that manipulate files
(for example, the template module) but other modules might
also show ‘before and after’ information
(for example, the user module).

For more information check [1].

[1] https://docs.ansible.com/ansible/latest/user_guide/playbooks_checkmode.html#using-diff-mode

Change-Id: Ifb82ea99e5af82540e938eab9e2a442b2820d7df
2021-09-21 17:08:39 +02:00
Mark Goddard
6dc8b56390 Use mariadb_tag as default for all mariadb tags
This allows one variable to specify the tag for all MariaDB images.

Change-Id: I164cdd41787f8bd52d8e08cb380d42625a8bbd84
TrivialFix
2021-09-21 06:50:41 +00:00
Zuul
cdaa0dbe24 Merge "Add disable_firewall variable" 2021-09-20 19:57:38 +00:00
Zuul
e06e531089 Merge "Add kolla-ansible gather-facts command" 2021-09-20 18:54:29 +00:00
Zuul
000b347431 Merge "Remove haproxy,keepalived groups" 2021-09-20 18:09:00 +00:00
Zuul
7cf30017ea Merge "Add Alertmanger metric target(s)" 2021-09-20 18:08:56 +00:00
Radosław Piliszek
2cf9ae2cf5 Do not enable mariadb-clustercheck when not needed
Closes-Bug: #1944114
Change-Id: Idd525fda7ff94f70794f4c582cd74470c7f40fae
2021-09-20 09:58:56 +00:00
Radosław Piliszek
0d9477de38 Switch default images source to quay.io
Docs adapted to match.
Removed the unsupported-for-quay option to set up
a pull-through cache.

Closes-Bug: #1942134
Change-Id: If5a26b1ba4bf35bc29306c24f608396dbf5e3371
2021-09-16 17:27:39 +00:00
Michal Arbet
f0241f807f Remove haproxy,keepalived groups
Haproxy was renamed in [1].

[1] https://review.opendev.org/c/openstack/kolla-ansible/+/770618

Change-Id: Ib2d7f0774fede570a8c4c315d83afd420c31da0b
2021-09-16 13:41:13 +02:00
Zuul
3455105321 Merge "gnocchi: fix external ceph integration when gnocchi-statsd is disabled" 2021-09-15 09:33:03 +00:00
Zuul
a1a22b3a89 Merge "toolbox: Allow different users logging to ansible.log" 2021-09-09 15:55:27 +00:00
Zuul
f27c409eea Merge "Bump libvirtd memlock ulimit" 2021-09-09 10:58:27 +00:00
Zuul
f99bf8325f Merge "Never make Docker registry insecure by default" 2021-09-09 10:49:03 +00:00
Zuul
44c7b166cf Merge "Use Docker healthchecks for mistral services" 2021-09-08 16:07:51 +00:00
Michał Nasiadka
24e6a6ced0 toolbox: Allow different users logging to ansible.log
Currently only operations done with default kolla_toolbox user are logged
to /var/log/kolla/ansible.log.

In order to fix logging, permissions to ansible.log must allow writing
for other users in kolla group - and then a separate patch will follow
to make custom ansible.cfg file usable by other toolbox users.

Partial-Bug: #1942846
Change-Id: I1be60ac7647b1a838e97f05f15ba5f0e39e8ae3c
2021-09-07 14:12:11 +02:00
Zuul
c48469d2ac Merge "Allow override of rabbitmq config in kolla toolbox" 2021-09-07 10:34:54 +00:00
Zuul
39931aedb4 Merge "Fix kolla-toolbox with IPv6 and disabled RabbitMQ" 2021-09-07 10:34:52 +00:00
Radosław Piliszek
11d7233ccc Bump libvirtd memlock ulimit
This is required for libvirtd with cgroupsv2 (Debian Bullseye and
soon others).
Otherwise, device attachments simply fail.
The warning message suggests filtering will be disabled but it
actually just fails the action entirely.

Change-Id: Id1fbd49a31a6e6e51b667f646278b93897c05b21
Closes-Bug: #1941940
2021-09-03 15:37:13 +00:00
Piotr Parczewski
d9e0ca5b3f reno: follow up
corrected nits from:
https://review.opendev.org/c/openstack/kolla-ansible/+/800068
https://review.opendev.org/c/openstack/kolla-ansible/+/803644

Change-Id: Ia30afd795067a36b132a8c75c72dd7c65d624a83
2021-09-02 14:59:26 +02:00
Radosław Piliszek
34c49b9dbe Restore libvirtd cgroupfs mount
It was removed in [1] as part of cgroupsv2 cleanup.
However, the testing did not catch the fact that the legacy
cgroups behaviour was actually still breaking despite latest
Docker and setting to use host's cgroups namespace.

[1] 286a03bad20955aa4d3f7009cef5856d328b76f1

Closes-Bug: #1941706
Change-Id: I629bb9e70a3fd6bd1e26b2ca22ffcff5e9e8c731
2021-08-30 09:33:31 +00:00
Zuul
83c5d95b47 Merge "Support monitoring Fluentd with Prometheus" 2021-08-27 09:34:12 +00:00
Zuul
d104846204 Merge "Use Docker healthchecks for nova-spicehtml5proxy service" 2021-08-27 09:04:51 +00:00
Zuul
26c480ca6f Merge "Use Docker healthchecks for memcached services" 2021-08-27 09:02:17 +00:00
Zuul
e78f4330dd Merge "Use Docker healthchecks for keystone-fernet container" 2021-08-27 09:02:15 +00:00
Zuul
6362dfa942 Merge "Fix Masakari in multi-region deploys" 2021-08-27 08:55:06 +00:00
Mark Goddard
d9a3758952 Add kolla-ansible gather-facts command
In some situations it may be helpful to populate the fact cache on
demand. The 'kolla-ansible gather-facts' command may be used to do this.

One specific case where this may be helpful is when running kolla-ansible
with a --limit argument, since in that case hosts that match the limit
will gather facts for hosts that fall outside the limit. In the extreme
case of a limit that matches only one host, it will serially gather
facts for all other hosts. To avoid this issue, run 'kolla-ansible
gather-facts' without a limit to populate the fact cache in parallel
before running the required command with a limit.

Change-Id: I79db9bca23aa1bd45bafa7e7500a90de5a684593
2021-08-25 16:45:39 +01:00
Zuul
1a538cce0e Merge "Add ability to retry image pulling" 2021-08-23 13:22:31 +00:00
Radosław Piliszek
3c68e82585 Fix Masakari in multi-region deploys
to behave like it is most commonly expected - query Nova in the
same region.

Closes-Bug: #1939291
Change-Id: I584a83d352c747a799b5dab1d3b8159ba3805454
2021-08-20 18:53:46 +00:00
Radosław Piliszek
802f7c6218 Never make Docker registry insecure by default
To follow best security practices and help fellow operators.

More details inline and in the linked bug report.

Closes-Bug: #1940547
Change-Id: Ide9e9009a6e272f20a43319f27d257efdf315f68
2021-08-20 18:23:56 +00:00