With the new default since Wallaby, starting Docker makes it
enable forwarding and not filter it at all.
This may pose a security risk and should be mitigated.
Closes-Bug: #1931615
Change-Id: I5129136c066489fdfaa4d93741c22e5010b7e89d
The host list order seen during Ansible handlers may differ to the usual
play host list order, due to race conditions in notifying handlers. This
means that restart_services.yml for RabbitMQ may be included in a
different order than the rabbitmq group, resulting in a node other than
the 'first' being restarted first. This can cause some nodes to fail to
join the cluster. The include_tasks loop was introduced in [1].
This change fixes the issue by splitting the handler into two tasks, and
restarting the first node before all others.
[1] https://review.opendev.org/c/openstack/kolla-ansible/+/763137
Change-Id: I1823301d5889589bfd48326ed7de03c6061ea5ba
Closes-Bug: #1930293
Since I0474324b60a5f792ef5210ab336639edf7a8cd9e swift role uses the new
service-cert-copy role introduced in the
I6351147ddaff8b2ae629179a9bc3bae2ebac9519 but the swift role itself
doesn't contain the handler used in the service-cert-copy. Right now,
restarting the swift container isn't necessary, but the handler should
exist. Also we should fix the name of the service used.
Closes-Bug: #1931097
Change-Id: I2d0615ce6914e1f875a2647c8a95b86dd17eeb22
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>
On machines with many cores, we were seeing excessive CPU load on systems
that were not very busy. With the following Erlang VM argument we saw
RabbitMQ CPU usage drop from about 150% to around 20%, on a system with
40 hyperthreads.
+S 2:2
By default RabbitMQ starts N schedulers where N is the number of CPU
cores, including hyper-threaded cores. This is fine when you assume all
your CPUs are dedicated to RabbitMQ. Its not a good idea in a typical
Kolla Ansible setup. Here we go for two scheduler threads.
More details can be found here:
https://www.rabbitmq.com/runtime.html#scheduling
and here:
https://erlang.org/doc/man/erl.html#emulator-flags
+sbwt none
This stops busy waiting of the scheduler, for more details see:
https://www.rabbitmq.com/runtime.html#busy-waiting
Newer versions of rabbit may need additional flags:
"+sbwt none +sbwtdcpu none +sbwtdio none"
But this patch should be back portable to older versions of RabbitMQ
used in Train and Stein.
Note that information on this tuning was found by looking at data from:
rabbitmq-diagnostics runtime_thread_stats
More details on that can be found here:
https://www.rabbitmq.com/runtime.html#thread-stats
Related-Bug: #1846467
Change-Id: Iced014acee7e590c10848e73feca166f48b622dc
monasca-thresh currently runs a local copy of the storm
to handle the threshold topology. However, it doesn't setup
the environment correctly, and the executable fails, causing
the container to continually restart.
This patch updates the container command to correctly
submit the topology to the running Apache storm. The
container will exit after it finishes the submission,
so the restart_policy is updated to on-failure, this way
if the storm is temporarily unavailable, the submission
will be retried. (NOTE: further deploys will see the
container as "changed" as it won't be running)
Patch uses KOLLA_BOOTSTRAP to trigger the container to
check if the topology is already submitted, and if so skips
the submission command so the container doesn't fail.
The config task now triggers a new reconfigure handler that
spawns a one-shot container to replace any existing topology
if the configuration has changed.
Also, all the storm.* variables in storm.yml.j2 are
removed as they were only needed for local mode and
make submitted topologies fail to load when the storm
is restarted (the referenced directories not mounted
on nimbus).
Depends-On: https://review.opendev.org/c/openstack/kolla/+/792751
Closes-Bug: #1808805
Change-Id: Ib225d76076782d695c9387e1c2693bae9a4521d7
Interface names with dashes can cause problems in Ansible since dashes
are replaced with underscores when referencing facts. In the baremetal
role we reference the fact for api_interface without replacing dashes
with underscores. This may result in host entries being omitted from
/etc/hosts.
This change fixes the issue.
Change-Id: I667adc7d8a7dbd20dbfa293f389e02355f8275bb
Related-Bug: #1927357
When using elasticsearch 7 with fluentd, you seem to get a lot
of warnings in the docker logs output that look like:
[types removal] Specifying types in bulk requests is deprecated.
The docs suggest adding suppress_type_name to stop these warnings,
and that seems to work without affecting any functionality.
Further info here:
https://github.com/uken/fluent-plugin-elasticsearch/issues/785
Closes-Bug: #1930856
Change-Id: I45be67df3717f78d78bcdc7df69600ab8681922f
The chrony container is deprecated in Wallaby, and disabled by default.
This change allows to remove the container if chrony is disabled.
Change-Id: I1c4436072c2d47a95625e64b731edb473384b395
This is required to support Debian Bullseye (11) - need to set
nova-libvirt to use 'host' CgroupnsMode.
Change-Id: I40213d4092fa325bcf37bb1fb4437ab125fe328b
The mariadb image was removed in Wallaby, leading to database backup
failures.
Change-Id: I90986e7521779997df2782767bb95efcbd8ef232
Closes-Bug: #1928129
When enable_elasticsearch is False, and kolla_internal_fqdn is set
and elasticsearch_address is the default, fluentd is still enabling
output to elasticsearch.
elasticsearch_address defaults to kolla_internal_fqdn, but the
check to enable logging to an "external" elasticsearch host
compares with kolla_internal_vip_address (fqdn != vip address).
This patch fixes the comparison to use the kolla_internal_fqdn.
Closes-Bug: #1927880
Change-Id: If23a6b1273c2639d1296becc9d222546d52f63ac
Running this:
$ kolla-ansible bogus-command
Should show usage & give a non-zero exit code. Previously it gave a zero
exit code. This change fixes the issue.
Closes-Bug: #1929397
Change-Id: I580c208d61d5efe115f936dfb8f3f6508acd91b2
docker-ce on Debian/Ubuntu gets started just after installation, before
baremetal role configures daemon.json - which results in iptables rules
being implemented - but not removed on docker engine restart.
Closes-Bug: #1923203
Change-Id: Ib1faa092e0b8f0668d1752490a34d0c2165d58d2
This task is writing private key from passwords to
/etc/kolla/octavia-worker/{{ octavia_amp_ssh_key_name }} even
if user disabled octavia auto configure.
This patch is adding conditional for this task and skipping
it if octavia_auto_configure: "no".
Closes-Bug: #1927727
Change-Id: Ib993b387d681921d804f654bea780a1481b2b0d0
In order for DVR to work on VLAN tenant networks we need to configure
external_ids:ovn-chassis-mac-mappings with per node generated MAC [1]
on computes [1].
[1]: 1fed74cfc1
Co-Authored-By: Bartosz Bezak <bartosz@stackhpc.com>
Depends-On: https://review.opendev.org/c/openstack/neutron/+/782250
Change-Id: I3a3ccde5b9ef2afb4c3e9206f13827687880cb57
The proposed approach allows for checking whether config
files are current, e.g. cases when the deployment was aborted after
config files were generated but before they were injected into the
containers which lead to old config staying in containers.
After this patch we can do:
kolla-ansible genconfig
kolla-ansible deploy-containers
and it would do what we expected rather than being a noop
in the second part.
We also lose the need to have notifies
and whens in config and handler sections respectively.
This is optimised in a separate patch.
Future work:
- optimise for large files
- could we get away with comparing timestamps and sizes?
container's should have a newer timestamp due to copy,
could also preserve it
Change-Id: I1d26e48e1958f13b854d8afded4bfba5021a2dec
Closes-Bug: #1848775
Depends-On: https://review.opendev.org/c/openstack/kolla/+/773257
Co-Authored-By: Mark Goddard <mark@stackhpc.com>
In the Xena cycle it was decided to remove the Monasca
Grafana fork due to lack of maintenance. This commit removes
the service and provides a limited workaround using the
Monasca Grafana datasource with vanilla Grafana.
Depends-On: I9db7ec2df050fa20317d84f6cea40d1f5fd42e60
Change-Id: I4917ece1951084f6665722ba9a91d47764d3709a
We don't do the best job with it and it's better to rely on users'
and distros' default policies than try to water those down.
Closes-Bug: #1837551
Change-Id: I72b13adef60900fc31f1293c516030026f004216
Add file to the reno documentation build to show release notes for
stable/wallaby.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/wallaby.
Sem-Ver: feature
Change-Id: I34e6b2e1b9411e360994684f62414703f3bb2299
If docker_configure_for_zun is set to true, then Zun-specific
configuration for Docker is applied to all nodes. It should only be
applied based on the relevant inventory groups. In some cases this can
cause Docker to fail to start. See
https://storyboard.openstack.org/#!/story/2008544 for details.
This change applies the configuration based on the zun-compute and
zun-cni-daemon groups. It also modifies the expression to not assume
that these groups exist in the inventory.
Change-Id: I0141abf0dd83e3a567ea6dcca945f86db129becf
Closes-Bug: #1914378
Story: 2008544
Task: 41645
Co-Authored-By: Buddhika Sanjeewa <bsanjeewa@kln.ac.lk>
This change enables the use of Docker healthchecks for rabbitmq services.
Implements: blueprint container-health-check
Depends-On: https://review.opendev.org/c/openstack/kolla/+/784562
Change-Id: I23a2c2efab858b9ed39c6ce0ec4a82df10e7f93d
