This change adds support for encryption of communication between
OpenStack services and RabbitMQ. Server certificates are supported, but
currently client certificates are not.
The kolla-ansible certificates command has been updated to support
generating certificates for RabbitMQ for development and testing.
RabbitMQ TLS is enabled in the all-in-one source CI jobs, or when
The Zuul 'tls_enabled' variable is true.
Change-Id: I4f1d04150fb2b5af085b762890092f87ae6076b5
Implements: blueprint message-queue-ssl-support
The use of default(omit) is for module parameters, not templates. We
define a default value for openstack_cacert, so it should never be
undefined anyway.
Change-Id: Idfa73097ca168c76559dc4f3aa8bb30b7113ab28
Include a reference to the globally configured Certificate Authority to
all services. Services use the CA to verify HTTPs connections.
Change-Id: I38da931cdd7ff46cce1994763b5c713652b096cc
Partially-Implements: blueprint support-trusted-ca-certificate-file
Introduce kolla_address filter.
Introduce put_address_in_context filter.
Add AF config to vars.
Address contexts:
- raw (default): <ADDR>
- memcache: inet6:[<ADDR>]
- url: [<ADDR>]
Other changes:
globals.yml - mention just IP in comment
prechecks/port_checks (api_intf) - kolla_address handles validation
3x interface conditional (swift configs: replication/storage)
2x interface variable definition with hostname
(haproxy listens; api intf)
1x interface variable definition with hostname with bifrost exclusion
(baremetal pre-install /etc/hosts; api intf)
neutron's ml2 'overlay_ip_version' set to 6 for IPv6 on tunnel network
basic multinode source CI job for IPv6
prechecks for rabbitmq and qdrouterd use proper NSS database now
MariaDB Galera Cluster WSREP SST mariabackup workaround
(socat and IPv6)
Ceph naming workaround in CI
TODO: probably needs documenting
RabbitMQ IPv6-only proto_dist
Ceph ms switch to IPv6 mode
Remove neutron-server ml2_type_vxlan/vxlan_group setting
as it is not used (let's avoid any confusion)
and could break setups without proper multicast routing
if it started working (also IPv4-only)
haproxy upgrade checks for slaves based on ipv6 addresses
TODO:
ovs-dpdk grabs ipv4 network address (w/ prefix len / submask)
not supported, invalid by default because neutron_external has no address
No idea whether ovs-dpdk works at all atm.
ml2 for xenapi
Xen is not supported too well.
This would require working with XenAPI facts.
rp_filter setting
This would require meddling with ip6tables (there is no sysctl param).
By default nothing is dropped.
Unlikely we really need it.
ironic dnsmasq is configured IPv4-only
dnsmasq needs DHCPv6 options and testing in vivo.
KNOWN ISSUES (beyond us):
One cannot use IPv6 address to reference the image for docker like we
currently do, see: https://github.com/moby/moby/issues/39033
(docker_registry; docker API 400 - invalid reference format)
workaround: use hostname/FQDN
RabbitMQ may fail to bind to IPv6 if hostname resolves also to IPv4.
This is due to old RabbitMQ versions available in images.
IPv4 is preferred by default and may fail in the IPv6-only scenario.
This should be no problem in real life as IPv6-only is indeed IPv6-only.
Also, when new RabbitMQ (3.7.16/3.8+) makes it into images, this will
no longer be relevant as we supply all the necessary config.
See: https://github.com/rabbitmq/rabbitmq-server/pull/1982
For reliable runs, at least Ansible 2.8 is required (2.8.5 confirmed
to work well). Older Ansible versions are known to miss IPv6 addresses
in interface facts. This may affect redeploys, reconfigures and
upgrades which run after VIP address is assigned.
See: https://github.com/ansible/ansible/issues/63227
Bifrost Train does not support IPv6 deployments.
See: https://storyboard.openstack.org/#!/story/2006689
Change-Id: Ia34e6916ea4f99e9522cd2ddde03a0a4776f7e2c
Implements: blueprint ipv6-control-plane
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
According ceilometer commit: 9db5c6c9bfc66018aeb78c4a262e1bfa9b326798
ceilometer was removed transformer support
so, remove about transformers config.
Change-Id: I47fc90aa6dff6d0843c90b27a785e0c6b3d2961e
Close-bug: #1830601
Similar to what we did here: https://review.opendev.org/#/c/655276 but,
for ceilometer/data/meters.d/meters.yaml file.
The idea is to create a method for operators to manage custom meters
YAML files via Kolla-ansible. To do that, we enable them (operators)
to use a folder called by default "meters.d" in their local
ceilometer configurations, where all of the custom meters YAML files
will be read from. If this folder exist and has YAML files in it, we
copy them for the default "/etc/ceilometer/meters.d" path in the
containers. We do not inject things in the container though. We copy
the files for the control node, and then we map them via
ceilometer*.json container configuration files.
Change-Id: I712edcf39bfdb64887e25437f0aff30a45a829dd
Signed-off-by: Rafael Weingärtner <rafael@apache.org>
By default, Ceilometer uses gnocchi_resources.yaml as cfg_file that defines
the metric archive policy and metrics send to gnocchi. Users may want to define
their own strategy.
Change-Id: I49ba34588101ac2b4f450067c8c9a354134063bb
Signed-off-by: Ning Yao <yaoning@unitedstack.com>
We're duplicating code to build the keystone URLs in nearly every
config, where we've already done it in group_vars. Replace the
redundancy with a variable that does the same thing.
Change-Id: I207d77870e2535c1cdcbc5eaf704f0448ac85a7a
when using ceilometer+gnocchi, for every notification sample, ceilometer
will update the resource even if is not updated.
We should add [cache] section to make ceilometer cache the resource, and
stop send the useless update request.
Closes-Bug: #1807841
Change-Id: Ic33b4cd5ba8165c20878cab068f38a3948c9d31d
Alarm service has been moved to Aodh for a long time [1].
Therefore, we should define evaluation_interval in
aodh.conf rather than ceilometer.conf. The interval value
should be configurable as well because we can use a
custom polling config now [2]
[1] https://review.openstack.org/#/c/200593/
[2] https://review.openstack.org/#/c/572013/
Change-Id: I7adeff2dff5d6d6ae4c621e84857347995e9203a
This to support configuration on ceilometer services for XenAPI.
1. set hypervisor_inspector as xenapi
2. Confiugre the section of [xenapi] for XenAPI connection
For details, please refer to the config doc:
https://docs.openstack.org/ceilometer/latest/configuration/index.html
Change-Id: I4fc649d927031886c694507b3e8a686646a61ef7
blueprint: xenserver-support
- Ceilometer
- Gnocchi
- Rally
This will copy only yaml or json policy file if they exist.
Change-Id: I59f3376ab9fb6fb83577465a6c9096764b9f19c0
Implements: blueprint support-custom-policy-yaml
Co-authored-By: Duong Ha-Quang <duonghq@vn.fujitsu.com>
This commit separates the messaging rpc and notify transports in order
to support separate and different oslo.messaging backends
This patch:
* add rpc and notify variables
* update service role conf templates
* add example to globals.yaml
* add release note
Implements: blueprint hybrid-messaging
Change-Id: I34691c2895c8563f1f322f0850ecff98d11b5185
In ceilometer.conf there is a setting evaluation_interval.
The default is set to 60 seconds.
In pipeline.yaml,there is an interval set for those sources as well,
default value 300 seconds.
The evaluation_interval must be set >= the source interval in pipeline.yaml
or else when the evaluator runs it wont find any recent data
and set the state to insufficient data.
see:
https://docs.openstack.org/ocata/config-reference/telemetry/alarming-config-options.html
Change-Id: I82f061d1affc5c3ade75496684fe66e17928e1f3
Closes-Bug: #1704328
* remove ceilometer-api and ceilometer-collector service
* use ceilometer-notification to publish message to proper backend
* remove useless ceilometer_database_type and ceilometer_event_type
variables
* sync event_definitions.yaml, event_pipeline.yaml and pipeline.yaml
file with upstream
Change-Id: Ib39053cb5f70bd11ee61d3f26d5b28accecd7190
gnocchi have archive policy rule feature, which can control metric's
archive_policy. gnocchi also have a default archive policy rule which
is using low archive policy.
On the other hand, archive_policy is marked as deprecated and will be
removed in the feature in ceilometer[0].
So should better remove archive_policy ceilometer.conf.
[0] https://review.openstack.org/#/c/448586/
Change-Id: I0aa726f6420d628bda3fb4c4eba86b55fe1e2699
Closes-Bug: #1696038
Many of the templates use 600, remove unnecessary permission
on these templates to bring them in line with the others.
Change-Id: I30fe1b3822b9c7bb6ab98729fc519dc1d603db27
When using panko event dispatcher and publisher in ceilometer, it
depends on panko.conf file.
Change-Id: Ie91c072b233597758955b70bd526b2603b86e995
Closes-Bug: #1672241
Ceilometer-*.json does not apply permissions at
kolla_logs/ceilometer as other roles do at config.json.
This is causing ceilometer-central to keep restarting
due cannot read/write to ceilometer-polling.log file.
Change-Id: I865bf01d6c3d87f1a2cf31976ca9e46bcbcad744
Closes-Bug: #1671020
Ceilometer dispatcher configurations are there to have gnocchi as
backend but when we use mongodb or mysql dispatcher configurations
are missing.
Closes-Bug: #1640166
(cherry picked from commit d99659050763c71e63ed8b57cbf16d4ce85980fa)
Change-Id: I9cdfc6e2208978e72b76bff7f6a1cba80386ffa8
The store_events parameter was removed from ceilometer collector
service with https://review.openstack.org/#/c/367982
Change-Id: If08c280949a2ef5274cc8b029750f98d6f6af79b
Closes-bug: #1647585
When configuring kolla with
- kolla_enable_tls_external: "yes"
ceilometer service credential defaults to publicURL.
Ceilometer should work with the internal interface (v3 API Identity syntax):
.....
[service_credentials]
interface = internal
.....
Change-Id: I898ffb2b901f08b810756d80dbb988d8c9298219
Closes-Bug: #1643860
Users can specify database address and port for mysql backend
of Ceilometer. Currently ceilometer_database_mysql_address
incorrectly includes port. This is unnecessary, also Ceilometer
bootstrapping (mysql_user, mysql_db Ansible modules) wants to use
these variables separately.
Change-Id: I88f5359517fcf4f119ec6abfdf16a15a4e33b6fd
Closes-Bug: #1639786
At the moment we use "memcached_servers =
{{ kolla_internal_fqdn }}:{{ memcached_port }}" in
keystone_authtoken for Ceilometer.
This cannot work because we our haproxy service does
not offer memcache, so fix it.
Change-Id: I7d9630b8b232f0e5e2a0a33304817a1b255d4855
Closes-Bug: #1634146
* ceilometer-api script is removed and run ceilometer-api by using apache
* fix connection url in ceilometer.conf
Closes-Bug: #1624905
Change-Id: Iffb00ca418bab6521d61b16de4f5760aa1ae1ac7
