Due to poor planning on our variable names we have a situation where
we have "internal_address" which must be a VIP, but "external_address"
which should be a DNS name. Now with two vips "external_vip_address"
is a new variable.
This corrects that issue by deprecating kolla_internal_address and
replacing it with 4 nicely named variables.
kolla_internal_vip_address
kolla_internal_fqdn
kolla_external_vip_address
kolla_external_fqdn
The default behaviour will remain the same, and the way the variable
inheritance is setup the kolla_internal_address variable can still be
set in globals.yml and propogate out to these 4 new variables like it
normally would, but all reference to kolla_internal_address has been
completely removed.
Change-Id: I4556dcdbf4d91a8d2751981ef9c64bad44a719e5
Partially-Implements: blueprint ssl-kolla
The generic driver for manila need the neutron agents
and OVS / Linuxbridge running on the same node as manila_share.
This is necessary when the DHSS (Driver Handles Share Servers)
is the value "True", so that the manila_share can talk
with NFS manager.
Change-Id: I21904659b1789fa71118401bfb6ac2227ae564da
Partially-Implements: blueprint enable-manila-containers
Working towards the blueprint that will add TLS protection
for the external endpoints, kolla needs certificates.
When kolla deploys OpenStack, the external VIP will need
a server side certifcate. Clients that access those endpoints will
need the public CA certificate that signed that certificate.
This ansible script will create these two certificates to make
it easy to use TLS in a test environment. The generated
certificate files are:
/etc/kolla/certificates/haproxy.pem (server side certificate)
/etc/kolla/certificates/haproxy-ca.pem (CA certificate)
The generated certificates are not suitable for use in a
production environment, but will be useful for testing and
verifying operations.
Partially-implements: blueprint ssl-kolla
Change-Id: I208777f9e5eee3bfb06810c7b18a2727beda234d
Since openvswitch is handled in the kernel, it really is as simple as
upgrade the container since the container only has userspace tools in
it.
Partially-Implements: blueprint upgrade-kolla
Implements: blueprint upgrade-neutron
Change-Id: Iec57c67a1ccba8f48b752fe832cd714bcc658af0
Ceph is pretty easy to work with. Upgrade mons, then osds, then rgws
We want to eventually make these serial values configurable, but for
now due to cephs delicate distributed network nature it is safest to
only run 1 change at a time.
Change-Id: Icc721ab3651379c28fee853ca95f9e3ddf102998
Partially-Implements: blueprint upgrade-kolla
Implements: blueprint upgrade-ceph
Currently Heka fails to parse the RabbitMQ logs. There are two
problems:
1. The rabbit-sasl.log file is ignored but the file_match expression
does not match.
2. The delimiter used in the RegexSplitter makes Heka stop on the
very first log entry. '\n\n(=[^=]+====' (with two \n's) is
a better delimiter. deliver_incomplete_final is used to get the
final log entry.
TrivialFix
Change-Id: I94720340d5b2d6fd5d7641b9ff58733f6cd882ee
This is single task to upgrade both haproxy and keepalived. It stops
slave nodes of keepalived and upgrades them separately to avoid
VIP migration and allow nearly no-downtime upgrade
Change-Id: I06124635a3f3553a4e8e91013cefbf897dd7179f
Implements: blueprint upgrade-haproxy
Implements: blueprint upgrade-keepalived
Partially-implements: blueprint upgrade-kolla
HAProxy: change to use option forwardfor to pass origin IP address
to backend via X-Forwarded-For header
Keystone: Apache does the audit logs for keystone. Change the
LogFormat to display the passed address instead of the connection
address which is that of the load balancer.
Nova, Cinder, Glance: these services can make use of the address
passed in X-Forwarded-For. With this setting the API logs for
these services include the client IP address.
Change-Id: Ia861ecc11a7c7d463d0366586926d1a842853f69
Closes-Bug: #1548935
To improve security, operators have asked for two VIPs for
their cloud.
VIP 1 is the internal VIP that can reach internal and admin endpoints.
In addition, the internal VIP can also reach other internal services,
such as the database and message services.
VIP 2 is the external VIP that can only reach public endpoints.
With one VIP only, all services are reached at the same address.
To add a second VIP, this patch adds two new configuration parameters.
kolla_external_vip_address: is an IPv4 address to use for created VIP
kolla_external_vip_interface: is the network interface to use for VIP
In this scenario, the first VIP (the internal VIP), is defined by
the original parameters (kolla_internal address and network_interface).
When using two VIPs, the existing kolla_external_address parameter
should be/point to/resolve to the kolla_external_vip_address.
Closes-bug: 1535333
Change-Id: I5bfcefaf7899298455cdade8209c34324aebfecb
This bootstrap was non-idempotent. This patch follows the style
first implemented with nova to make this idempotent.
TrivialFix
Change-Id: Id04e59c5274a7d8a5bffd3ce018f3bbb84839d75
This should be later replaced with actual upgrade logic
Change-Id: I1c386a7f3bc0d15ebe4a47d2628833172a15f89b
Partially-implements: blueprint upgrade-kolla
Partially-implements: blueprint upgrade-elasticseatch
Swift uses Syslog, but it uses a custom log format. So this commit
adds a specific Heka decoder for Swift.
It also increases the log level from "warning" to "info" to make
Swift more verbose. Note that "info" is the default log level in
Swift.
And it disables the Heka configuration for Swift when "enable_swift"
is set to "no". This prevents Heka from creating 15 empty Swift log
files in the logs volume.
Partially implements: blueprint heka
Change-Id: If7a7d0707e71be2957178e2d45b5de51b788232e
New playbook for glance service upgrade.
Change-Id: I759e4eddf669112f752fe07d6b99a4bb9593d97f
Implements: blueprint upgrade-glance
Partially-Implements: blueprint upgrade-kolla
In order to avoid the neutron-dhcp-agent container from
failing, you need to change 'MountFlags' to 'shared' in
/var/lib/systemd/system/docker.serivce. Add a precheck
so that this issue will not happen as often.
Closes-bug: #1546681
Change-Id: I339b5e93e870534fe16c6610f299ca789e5ada62
The new heka changed log path. It is necessary to change
the dnsmasq log path as well.
Change-Id: Iaffecb8baf87961931727ce653f6c72740896a8f
Closes-Bug: 1548199
Based on the Nova upgrade patch and recommendations from Swift PTL John
Dickinson at
https://swiftstack.com/blog/2013/12/20/upgrade-openstack-swift-no-downtime/
Notes:
As part of this upgrade I have chosen to *not* migrate any data from the
old style swift_data container. This is because it was never intended to
be used in production; this fact is made clear in the docs.
In regards to testing, as of this patch we do not yet have an upgrade
task for the common containers (rsyslog and kolla-toolbox), so
attempting to upgrade swift will result in it failing to find the
kolla-toolbox. This will be true of any other upgrade until upgrade for
common is added. It can be worked around by deploying another role such
as keystone which will drag in the common role and start up
kolla-toolbox, after which Swift can be successfully upgraded.
Change-Id: I138556932e9bddcd595d94a3dcb69603268880ff
Partially-Implements: blueprint upgrade-kolla
Implements: blueprint upgrade-swift
The Ansible logs are currently not collected by Heka. This can be
done later, with an Ansible-specific decoder for Heka.
Partially implements: blueprint heka
Change-Id: I8d3ba4edb527f61c0a8234024b4be953c6e6c565
