keystone-startup.sh is using fernet_token_expiry instead of
fernet_key_rotation_interval - which effects in restart loop of keystone
containers - when restarted after 2-3 days.
Closes-Bug: #1895723
Change-Id: Ifff77af3d25d9dc659fff34f2ae3c6f2670df0f4
This patch introduces an optional backend encryption for the Ironic API
service. When used in conjunction with enabling TLS for service API
endpoints, network communcation will be encrypted end to end, from
client through HAProxy to the Ironic service.
Change-Id: I9edf7545c174ca8839ceaef877bb09f49ef2b451
Partially-Implements: blueprint add-ssl-internal-network
When the internal VIP is moved in the event of a failure of the active
controller, OpenStack services can become unresponsive as they try to
talk with MariaDB using connections from the SQLAlchemy pool.
It has been argued that OpenStack doesn't really need to use connection
pooling with MariaDB [1]. This commit reduces the use of connection
pooling via two configuration options:
- max_pool_size is set to 1 to allow only a single connection in the
pool (it is not possible to disable connection pooling entirely via
oslo.db, and max_pool_size = 0 means unlimited pool size)
- lower connection_recycle_time from the default of one hour to 10
seconds, which means the single connection in the pool will be
recreated regularly
These settings have shown better reactivity of the system in the event
of a failover.
[1] http://lists.openstack.org/pipermail/openstack-dev/2015-April/061808.html
Change-Id: Ib6a62d4428db9b95569314084090472870417f3d
Closes-Bug: #1896635
This allows for more config flexibility - e.g. running multiple
backends with a common frontend.
Note this is a building block for future work on letsencrypt
validator (which should offer backend and share frontend with
any service running off 80/443 - which would be only horizon
in the current default config), as well as any work towards
single port (that is single frontend) and multiple services
anchored at paths of it (which is the new recommended default).
Change-Id: Ie088fcf575e4b5e8775f1f89dd705a275725e26d
Partially-Implements: blueprint letsencrypt-https
This allows for more config flexibility - e.g. running multiple
backends with a common frontend.
It is not possible with the 'listen' approach (which enforces
frontend).
Additionally, it does not really make sense to support two ways
to do the exact same thing as the process is automated and
'listen' is really meant for humans not willing to write separate
sections.
Hence this deprecates 'listen' variant.
At the moment both templates work exactly the same.
The real flexibility comes in following patches.
Note this is a building block for future work on letsencrypt
validator (which should offer backend and share frontend with
any service running off 80/443 - which would be only horizon
in the current default config), as well as any work towards
single port (that is single frontend) and multiple services
anchored at paths of it (which is the new recommended default).
Change-Id: I2362aaa3e8069fe146d42947b8dddf49376174b5
Partially-Implements: blueprint letsencrypt-https
This change adds support for encryption of communication between
OpenStack services and RabbitMQ. Server certificates are supported, but
currently client certificates are not.
The kolla-ansible certificates command has been updated to support
generating certificates for RabbitMQ for development and testing.
RabbitMQ TLS is enabled in the all-in-one source CI jobs, or when
The Zuul 'tls_enabled' variable is true.
Change-Id: I4f1d04150fb2b5af085b762890092f87ae6076b5
Implements: blueprint message-queue-ssl-support
Since change [1] merged we have two mariadb images (mariadb and mariadb-server)
Let's use mariadb-server in kolla-ansible, so we can deprecate mariadb image.
[1]: https://review.opendev.org/#/c/710217/
Change-Id: I4ae2ccaaba8fb516f469f4ce8628e8c61de03f0d
The Prometheus OpenStack exporter was needlessly configured to use the
prometheus Docker volume and change permissions of /data, which does
not exist in the container image.
This must have been copy-pasted from existing Prometheus code.
Change-Id: I96017c17e68ca7a00a2d5ac41f2f43ef87694514
Enabling both l2_population and arp_responder for LinuxBridge can cause
problems in some configurations [0]. This commit removes the explicit
'true', reverting it to the default which is 'False'.
Closes-Bug: #1892776
[0] https://bugs.launchpad.net/neutron/+bug/1661717
Change-Id: Ia9445a651fd7a082835a858964bcb9e8e325338d
Signed-off-by: Nick Jones <nick@dischord.org>
This updates the Elasticsearch template used by Monasca to
persist logs so that is uses the 'new' string types [1]. As
an aside it helps to make the template more clear; full text
search for log messages, and keyword searches for everything
else.
[1] https://www.elastic.co/blog/strings-are-dead-long-live-strings
Closes-Bug: #1892376
Change-Id: I0cd6bf22d4695d88d93241da4364d170d8d8c80e
There is an issue where keystonemiddleware connections to memcached from
neutron-server grow beyond configured values [1], eventually reaching
the maximum number of connections accepted by memcached servers. Other
services do not appear to be affected by this issue.
A workaround is to use the advanced memcached pool. Despite its
documentation claiming to only work with Python 2, it appears to work
fine on Python 3.
[1] https://bugs.launchpad.net/keystonemiddleware/+bug/1883659
Change-Id: Ifbbc2022839cbc575848d830600241c61603c80b
Closes-Bug: #1892210
* Multipath daemon allows to reach block devices
via multiple paths for better resiliency and performance.
Multipathd periodically checks the failed iscsi paths
and maintains a list of valid paths. Libvirt can use more
than one iSCSI path when option volume_use_multipath is set
and when multipathd enabled.
Change-Id: I54629656803c4989f7673e8c69d2a820609b5960
Implements: blueprint nova-libvirt-multipath-iscsi
Previously the post-deploy.yml playbook was executed with become: true,
and the admin-openrc.sh file templated without an owner or mode
specified. This resulted in admin-openrc.sh being owned by root with 644
permissions.
This change creates the file without become: true, and explicitly sets
the owner to the user executing Ansible, and the mode to 600.
Co-Authored-By: Mark Goddard <mark@stackhpc.com>
Closes-Bug: #1891704
Change-Id: Iadf43383a7f2bf377d4666a55a38d92bd70711aa
The "kolla_internal_address" variable is not documented or defined
anywhere. When "kolla_internal_vip_address" is undefined, the error
message is about "kolla_internal_address", which will confuse operators.
This change deprecates "kolla_internal_address", and adds a default
value for "kolla_internal_vip_address" when "kolla_internal_address" is
undefined.
Change-Id: I09694b38420ea67896bb8cf4ffd7ce6f131af10e
Closes-Bug: #1864206
Steps to reproduce:
* Deploy a cloud
* Add another controller to the inventory
* Deploy to the new controller using --limit:
kolla-ansible deploy --limit new-controller
Expected results:
The new controller uses the cluster's existing fernet keys.
Actual results:
New fernet keys are generated on the new controller, and pushed out to
the existing controllers. This invalidates tokens created from those
keys.
This change prevents the above scenario from happening, by failing the
deployment if there are no hosts with existing Ferney keys to
distribute, and not all Keystone hosts are in the target host list.
Closes-Bug: #1891364
Change-Id: If0c0e038b77fc010a3a017f9841a674d53b16457
This patch introduces a global keep alive timeout value for services
that leverage httpd + wsgi to handle http/https requests. The default
value is one minute.
Change-Id: Icf7cb0baf86b428a60a7e9bbed642999711865cd
Partially-Implements: blueprint add-ssl-internal-network
Backport to Ussuri unmodified. Backport to Train and Stein without
DEFAULT_BOOT_SOURCE.
Closes-Bug: #1891024
Change-Id: If8fe490c3f698ab3eb37735fbfcb8ab0d5fa8a06
This fix was premature as it completely ignores
the previously-respected umask.
Let's discuss a proper fix and revert this one
since CI is fixed elsewhere [1].
[1] https://review.opendev.org/743502
This reverts commit 87efdce24bc802777d4da58f9f63c8d0838e7120.
Change-Id: If38adbf124e793574a21ae986f9ee146d587f820
